CAS SAML with Atlassian Cloud

[Neon Dazzle]

Hi everyone, we have CAS6 and are trying to setup SSO with our Atlassian org on the cloud. It seems like we almost have it, we get redirected to CAS and the login works, but we can't get redirected to Atlassian after, we are stuck in CAS.
It seems like there is not json parameters for redirection so I'm wondering where we should put the ACS adresse given by Atlassian.
All our other services connected with CAS provide metadata files so it's easy, but Atlassian doesnt provide that.
Has anyone been able to setup SSO with Atlassian Cloud?

[Ray Bon]

Neon,

ACS is required in metadata. 

You can create the metadata file if the vendor does not supply it. There are some online services that will help.

Ray

On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:

You don't often get email from chico...@gmail.com. Learn why this is important

[Neon Dazzle]

Thank you so much for your answer.
I created the metadata file using a web service and added:

    <md:AssertionConsumerService
                        index="1"
                        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                        Location="https://atlassian.start.com" />

I'm still getting no redirection and I stay on the CAS website.

[Ocean Liu]

Hi Neon,

The ACS url doesn’t look right in your metadata file.

Since you mentioned Atlassian will redirect you to your CAS, please check the SAMLRequest xml using a saml dev tool.

It should be something like this:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://auth.atlassian.com/login/callback?connection=saml-xxxx-xxxx-xxxx" Destination="https://cas.example.com/idp/profile/SAML2/Redirect/SSO" ID="_51xxxxxxxxxxxxxxxxxxxxxxxxxxxx" IssueInstant="2024-11-05T19:45:53.620Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://auth.atlassian.com/saml/xxxx-xxxx-xxxx</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </saml2p:AuthnRequest>

So the AssertionConsumerServiceURL in above SAMLRequest XML will be what you need to put in the SP metadata. And make sure the Issuer from SAMLRequest is matching the entityID in the SP metadata.

Good luck!

​

[Ray Bon]

Neon,

The Location and Binding protocol must match what is sent in the request.

You can use a browser plugin like samltracer to see what the request/response looks like.

Also check cas logs.

Ray

On Tue, 2024-11-05 at 10:44 -0800, Neon Dazzle wrote:

You don't often get email from chico...@gmail.com. Learn why this is important

Thank you so much for your answer.
I created the metadata file using a web service and added:

    <md:AssertionConsumerService
                        index="1"
                        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                        Location="https://atlassian.start.com" />

I'm still getting no redirection and I stay on the CAS website.

Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit :

Neon,

ACS is required in metadata. 

You can create the metadata file if the vendor does not supply it. There are some online services that will help.

Ray

On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:

You don't often get email from chico...@gmail.com.Learn why this is important

[Neon Dazzle]

Thank you so much to both of you for your answers! It's very appreciated.
I did more tests and I still can't get this to work. I get the same result: I get sent to CAS from Atlassian, I enter my credentials, and then I dont get sent back to Atlassian, I'm stuck in CAS. The message says that I see this page because CAS doesnt know my final destination.
I installed samltracer as suggested to try and find my mistake but I can't see it :(.

Here is my metadata file:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S" entityID="https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

And here is the request I see using saml-tracer:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc" Destination="https://cas6dev.polymtl.ca/cas" ID="_c59ebaed7f8b7fbc8dd55d5b0afb84fb" IssueInstant="2024-11-15T15:59:41.525Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </saml2p:AuthnRequest>

Can you see any obvious mistake I am making?

[Ocean Liu]

Neon, the Destination in the SAMLRequest does not look right.

It should be something like https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check your IdP metadata <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part.

And then, you need to change the Identity provider SSO URL in your atlassian admin panel. https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization

​

If you look at the dev tool, atlassian was probably redirecting the client to the CAS home page (/cas), instead of the SSO page (/cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to handle the parameters.

Good luck!

​

[Neon Dazzle]

Thank you so much.
I changed endpoint and now it's telling my application is not authorized to use CAS. It's weird because I can see the service entry when I go to this endpoint: cas/actuator/registeredService

{
"serviceId": "https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc",
"name": "JIRA",
"id": 1726778135108,
"description": "JIRA",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/cas/saml/jira-metadat.xml",
"issuerEntityId": "",
"signingCredentialType": "X509"
},

I must be still missing something.

[Ocean Liu]

Please check https://apereo.github.io/cas/7.1.x/services/SAML2-Service-Management.html for the example.

I think you are missing `"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",`

--

Ocean Liu | Enterprise Web Developer | Whitman College

WCTS Building 105F - 509.527.4973

[Ray Bon]

Neon,

I wonder if the empty issuerEntityId could cause a problem. Remove it.

As Robert suggested, check the logs. Perhaps turn up logging for opensaml.

Ray

On Mon, 2024-11-18 at 07:14 -0800, Neon Dazzle wrote:

You don't often get email from chico...@gmail.com. Learn why this is important

Thank you for your help, I changed the file and added the line as per your suggestion:

{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",

"serviceId": "https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc",
"name": "JIRA",
"id": 1726778135108,
"description": "JIRA",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/cas/saml/jira-metadat.xml",
"issuerEntityId": "",
"signingCredentialType": "X509"
}

Unfortunately, I get the same error that the application is not authorized to use CAS.

I can see the service on the gui:

I'm very confused. I feel like everything is there. What am I missing?

[King, Robert]

What do your logs say about the service match failure?

 

From: cas-...@apereo.org <cas-...@apereo.org> On Behalf Of Neon Dazzle
Sent: Monday, November 18, 2024 11:45 AM
To: CAS Community <cas-...@apereo.org>
Cc: Ocean Liu <li...@whitman.edu>; CAS Community <cas-...@apereo.org>; Ray Bon <rb...@uvic.ca>; Neon Dazzle <chico...@gmail.com>
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS SAML with Atlassian Cloud

 

Thank you for your help, I changed the file and added the line as per your suggestion:

{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",

"serviceId": "https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc",
"name": "JIRA",
"id": 1726778135108,
"description": "JIRA",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/cas/saml/jira-metadat.xml",
"issuerEntityId": "",
"signingCredentialType": "X509"
}

 

Unfortunately, I get the same error that the application is not authorized to use CAS.

I can see the service on the gui:

 

I'm very confused. I feel like everything is there. What am I missing?

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9248c12d-c8f0-4e35-9e12-89edb9b461b5n%40apereo.org.

[Neon Dazzle]

Hi everyone, I finally got it working.
The attribute was the problem. I was passing email as a NameID as per the Atlassian doc, but it needs to be the primare attribute.
This line made it work:

{
@class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
usernameAttribute: mail
}

Thank you so much to all of you for helping me with this. I appreciate!

Have a nice day.

[Mark Thompson]

Hello

Any chance you can share your setup , we have been fighting with CAS and Atlassian for a bit. 

CONFIDENTIALITY NOTE - AVIS: COURRIEL CONFIDENTIEL. 

You can view the confidentiality terms at https://laurentian.ca/confidentiality. Notre avis de confidentialité est disponible au site https://laurentienne.ca/avis

[Neon Dazzle]

I dont have access to my files right now, but I think everything needed is in this thread right now.
If you have any specific question, maybe I can help.

[K. Asef Erfan]

Hi, is there a way you could share your Atlassian Service json file, you can edit out the serviceid for privacy reasons, 

for some reason in our cas, giving it "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService" causes it to not be recognized by CAS as a valid aplication but if we change it to REGEX registered service it is recognized but then it does not send out correct POST to Atlassian which causes the Atlassian to fail the id.

Thank you, we appreciate everyone's help here!

[K. Asef Erfan]

Hello ,

just wanted post an update here that we got CAS working , Ill post our json and metadata incase anyone is implementing it in future, our CAS is v6.x for reference
the service json is below (serviceid path names etc, redacted)
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": " redacted  ",
"name": " redacted  ",
"id":  redacted  ,
"description": "lol",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "mail"

},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},

"metadataLocation": "/etc/ redacted  .xml",
"signingCredentialType": "X509"
}

here is metadata.xml, the cert is redacted but make sure to use same cert for signing and encryption in metadata and we used signing cert for it,

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2025-01-19T14:44:57Z" cacheDuration="PT604800S" entityID="redacted">

  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>

          <ds:X509Certificate>redacted</ds:X509Certificate>

        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>

          <ds:X509Certificate>redacted</ds:X509Certificate>

        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="redacted" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

[Mohamed Amdouni]

Hello, 

Be careful about the attribute in the metadata 

validUntil="2025-01-19T14:44:57Z"

This will unregister the application after this date.

Best regards.

--

- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6532174-31a7-4b0f-9a73-06432369e534n%40apereo.org.

[K. Asef Erfan]

good catch! thank you! those tags must have been there from the xml gen tool, removed cache dur and valid until tags