SAML specify signing cert/key

[atilling]

We're trying to move from shibboleth/cas to just cas with cas as the saml provider. We want to have as little downtime so I'm trying to have cas using the same signing and encryption keys as the shibboleth server. 

I've been over the documentation for the IDP and I'm not seeing how to specify the cert or where CAS generates it from if it's being generated.

Is there a property to specify the cert/key pair for signing?

[atilling]

Using the property 

cas.authn.saml-idp.metadata.file-system.location=file:/etc/cas/saml/idp

I can get cas to export the idp-signing cert and key that it's using, but is it there a way to swap that so I can update the idp-singing.crt/key and cas imports them?

[atilling]

Even tried the instructions here https://fawnoos.com/2019/12/16/cas62x-saml2-metadata-service/ to set a service specific signing key pair and it's still using a cert that doesn't appear in any idp_signing file.

[Ray Bon]

Cas creates metadata and certs when they do not exist.

Create them and put them in that directory and cas will use your files.

Ray

On Wed, 2024-01-31 at 13:35 -0800, atilling wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[atilling]

Seems to be pulling them in now, thank you

[Ray Bon]

There is also this on SP set up, https://apereo.github.io/cas/7.0.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service

Ray

On Thu, 2024-02-01 at 10:45 -0800, atilling wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.