CAS Apereo as SP -> IBM as IdP

Efren Pérez

unread,

Jul 10, 2018, 7:54:47 AM7/10/18

to CAS Community

We are trying to connect CAS Apereo to IBM IdP but we have a FBTSML238E error "Message signature could not be validated". The IdP Team tell us "we need to disable signature verification / validation" but I don't now how can disable it in CAS Apereo.

Could someone help me?

Jérôme LELEU

unread,

Jul 10, 2018, 8:27:06 AM7/10/18

to CAS Community

Hi,

There is a parameter in pac4j (the library used for authentication delegation) to define if you want the SAML auth request to be signed (authnRequestSigned), but you can't set it in CAS via a property.

You need some manual customization here.

Thanks.

Best regards,

Jérôme

On Tue, Jul 10, 2018 at 1:54 PM, Efren Pérez <efren...@edosoft.es> wrote:

We are trying to connect CAS Apereo to IBM IdP but we have a FBTSML238E error "Message signature could not be validated". The IdP Team tell us "we need to disable signature verification / validation" but I don't now how can disable it in CAS Apereo.
Could someone help me?

---
The information contained in this e-mail is LEGALLY PRIVILEGED AND CONFIDENTIAL and is intended only for the use of the addressees named above. If the reader of this message is not the intended recipient or have received this communication in error, please be aware that any dissemination, distribution or duplication of this communication is strictly prohibited, and please notify us immediately and return the original message to us at the address above.
Thank you.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/852df88e-a428-4f8e-8d7d-d6713ab70497%40apereo.org.

Efren Pérez

unread,

Jul 10, 2018, 8:35:24 AM7/10/18

to CAS Community

Hello Leleuj,

really thanks for response. I am going to clone https://github.com/apereo/cas and modify to false in class SamlRegisteredService.java

@Column
	private boolean signResponses = true;

and build again.

Regards,
Efrén

El martes, 10 de julio de 2018, 13:27:06 (UTC+1), leleuj escribió:

Hi,

There is a parameter in pac4j (the library used for authentication delegation) to define if you want the SAML auth request to be signed (authnRequestSigned), but you can't set it in CAS via a property.

You need some manual customization here.

Thanks.
Best regards,
Jérôme

On Tue, Jul 10, 2018 at 1:54 PM, Efren Pérez <efren...@edosoft.es> wrote:

We are trying to connect CAS Apereo to IBM IdP but we have a FBTSML238E error "Message signature could not be validated". The IdP Team tell us "we need to disable signature verification / validation" but I don't now how can disable it in CAS Apereo.
Could someone help me?

---
The information contained in this e-mail is LEGALLY PRIVILEGED AND CONFIDENTIAL and is intended only for the use of the addressees named above. If the reader of this message is not the intended recipient or have received this communication in error, please be aware that any dissemination, distribution or duplication of this communication is strictly prohibited, and please notify us immediately and return the original message to us at the address above.
Thank you.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Efren Pérez

unread,

Jul 10, 2018, 8:39:40 AM7/10/18

to CAS Community

Hello Jérôme,

the field is authnRequestSigned I am going to try.

Regards,

Efrén

Jérôme LELEU

unread,

Jul 10, 2018, 8:43:48 AM7/10/18

to CAS Community

Hi,

Maybe I misunderstood your previous post, but the SamlRegisteredService class is for defining an SP when the CAS server acts as an IdP.

I thought you were doing quite the opposite: use the CAS server as an SP and the IBM server as an IdP.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7de18b11-8a5c-48b6-8994-2a064ee3775d%40apereo.org.

Efren Pérez

unread,

Jul 10, 2018, 8:47:48 AM7/10/18

to cas-...@apereo.org

Hello Jérôme,

you are right. CAS as SP -> IBM as IdP. I am wrong with SamlRegisteredService. I would need change it in SAML2ClientConfiguration.java if I understand. I never do it so I am going to try.

Really Thanks,

Sorry for the mistake,

Efrén

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7de18b11-8a5c-48b6-8994-2a064ee3775d%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwaSzAENrb2kfm%3DMiHZJ-wKXDzKv82f4EqBRTWHE9r%2B8A%40mail.gmail.com.

--

Efrén Pérez

DevOps