SAML IdP keys and metadata problems
43 views
Skip to first unread message
Richard Frovarp
Jan 7, 2023, 12:32:19 AM1/7/23
to cas-...@apereo.org
I'm having two different problems related to SAML 2 keys and metadata on
6.6.3.
If I have org.apereo.cas:cas-server-support-saml-idp-metadata-git
enabled, I get an NPE when trying to access the metadata URL. I have
enforced the default false flag to indicate that the IdP metadata
shouldn't expect to be found in there. The NPE isn't very helpful:
023-01-06 15:34:25,629 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
- <Servlet.service() for servlet [dispatcherServlet] in context with
path [/cas] threw exception [Request processing failed; nested exception is
java.lang.NullPointerException] with root cause>
java.lang.NullPointerException: null
at
org.apereo.cas.support.saml.web.idp.metadata.SamlIdPMetadataController.generateMetadataForIdp(SamlIdPMetadataController.java:61)
~[cas-server-support-saml-idp-web-6.6.3.jar!/:6.6.3]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
If I don't have idp metadata git enabled, then if I don't have the
metadata file in the directory, it replaces my keys and generates a new
metadata file. I ideally would like to keep my existing keys and have it
generate a new metadata file for the new version. Guessing I just need
to create it with bogus keys elsewhere and swap in my certs and put it
somewhere that CAS can't write to it? It seems wrong for it to
regenerate the keys, and I haven't found the correct section of the
documentation at this point in time.
Thanks,
Richard
6.6.3.
If I have org.apereo.cas:cas-server-support-saml-idp-metadata-git
enabled, I get an NPE when trying to access the metadata URL. I have
enforced the default false flag to indicate that the IdP metadata
shouldn't expect to be found in there. The NPE isn't very helpful:
023-01-06 15:34:25,629 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
- <Servlet.service() for servlet [dispatcherServlet] in context with
path [/cas] threw exception [Request processing failed; nested exception is
java.lang.NullPointerException] with root cause>
java.lang.NullPointerException: null
at
org.apereo.cas.support.saml.web.idp.metadata.SamlIdPMetadataController.generateMetadataForIdp(SamlIdPMetadataController.java:61)
~[cas-server-support-saml-idp-web-6.6.3.jar!/:6.6.3]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
If I don't have idp metadata git enabled, then if I don't have the
metadata file in the directory, it replaces my keys and generates a new
metadata file. I ideally would like to keep my existing keys and have it
generate a new metadata file for the new version. Guessing I just need
to create it with bogus keys elsewhere and swap in my certs and put it
somewhere that CAS can't write to it? It seems wrong for it to
regenerate the keys, and I haven't found the correct section of the
documentation at this point in time.
Thanks,
Richard
Ray Bon
Jan 9, 2023, 12:42:37 PM1/9/23
to cas-...@apereo.org
Richard,
Cas only generates the metadata and keys if it can not find them. You can always swap in your metadata and keys to whatever location cas thinks is correct.
Not sure about the exception. Perhaps it is missing something related to git; path, write permissions, initialized repo, etc.
Ray
On Fri, 2023-01-06 at 15:42 -0600, 'Richard Frovarp' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/85e046b9-04e5-da3c-c27c-428423af4f4a%40ndsu.edu.
Richard Frovarp
Jan 9, 2023, 10:42:39 PM1/9/23
to cas-...@apereo.org
Ideally it would generate the metadata when it can't find that, and leave the keys alone. Not a whole lot changes between versions as far as the idp metadata is concerned, but it would be nice if it could generate it when needed.
Even with it generated with the git meatadata bit commented out in the build.gradle file, I still get the exception when I add it back. The repo is initialized and checked out. It's also set in CAS to not get updates and not get IdP metadata. My setup
is less than ideal, as the config area is owned by the user I'm running CAS as at the moment, so it has all of the write permissions it needs. So I think it is a bug. I don't see where one can submit bugs.
Richard
Reply all
Reply to author
Forward
0 new messages