SAML2 bug: Unable to locate any signing credentials

[Marcin Roman]

Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT and 6.4.0-SNAPSHOT.

It looks like SamlIdPMetadataResolver is provided with cas url instead of entityId while resolving signing credentials.

cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}Status]
cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create SAMLObject for type: [interface org.opensaml.saml.saml2.core.StatusCode] and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode]
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] ********************************************************************************
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging [org.opensaml.saml.saml2.core.impl.ResponseImpl]
cas_1 |
cas_1 | [<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp" ID="_111942357346883584" InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631" IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0">
cas_1 | <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://login.umcs.pl/cas/idp/metadata</saml2:Issuer>
cas_1 | <saml2p:Status>
cas_1 | <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
cas_1 | </saml2p:Status>
cas_1 | <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5878410931315849216" IssueInstant="2021-04-05T07:55:18.753Z" Version="2.0">
cas_1 | <saml2:Issuer>https://login.umcs.pl/cas/idp/metadata</saml2:Issuer>
cas_1 | <saml2:Subject>
// DELETED
cas_1 | </saml2:Assertion>
cas_1 | </saml2p:Response>
cas_1 | ]
cas_1 |
cas_1 |
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] ********************************************************************************
cas_1 | DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] SAML entity id [https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp] indicates that SAML responses should be signed
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Attempting to encode [org.opensaml.saml.saml2.core.impl.ResponseImpl] for [https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Outbound saml object to use is [org.opensaml.saml.saml2.core.impl.ResponseImpl]
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Fetched assertion consumer service url [https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from authentication request
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Configured peer entity endpoint to be [https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing blocked algorithms: [[http://www.w3.org/2001/04/xmldsig-more#hmac-md5, http://www.w3.org/2001/04/xmldsig-more#md5, http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing signature algorithms: [[http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing signature canonicalization algorithm: [http://www.w3.org/2001/10/xml-exc-c14n#]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing allowed algorithms: [[]]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing reference digest methods: [[http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512, http://www.w3.org/2000/09/xmldsig#sha1]]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing blocked algorithms: [[http://www.w3.org/2001/04/xmldsig-more#hmac-md5, http://www.w3.org/2001/04/xmldsig-more#md5, http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing signature algorithms: [[http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing signature canonicalization algorithm: [http://www.w3.org/2001/10/xml-exc-c14n#]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing allowed algorithms: [[]]
cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing reference digest methods: [[http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512, http://www.w3.org/2000/09/xmldsig#sha1]]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001]
cas_1 | DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Locating signature signing key for [SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1001, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, ticketGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=999, usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, displayName, givenName, sn, eduPersonScopedAffiliation]), entityAttribute=null, entityAttributeFormat=null, entityAttributeValues=[]), EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, attribute=uidNumber)], mergingPolicy=replace, order=0), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), properties={}, contacts=[]), metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, metadataProxyLocation=null, metadataMaxValidity=0, requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, metadataCriteriaPattern=null, requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, metadataSignatureLocation=null, logoutResponseBinding=null, requireSignedRoot=true, serviceProviderNameIdQualifier=null, nameIdQualifier=null, metadataExpirationDuration=PT60M, signingCredentialFingerprint=null, issuerEntityId=null, signingKeyAlgorithm=null, signAssertions=false, signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, skipGeneratingSubjectConfirmationInResponseTo=false, skipGeneratingSubjectConfirmationNotOnOrAfter=false, skipGeneratingSubjectConfirmationRecipient=false, skipGeneratingSubjectConfirmationNotBefore=true, skipGeneratingSubjectConfirmationNameId=true, skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, signResponses=true, encryptAssertions=false, encryptAttributes=false, encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, metadataCriteriaRemoveEmptyEntitiesDescriptors=true, metadataCriteriaRemoveRolelessEntityDescriptors=true, signingCredentialType=null, assertionAudiences=null, skewAllowance=0, whiteListBlackListPrecedence=null, attributeNameFormats={}, attributeFriendlyNames={}, attributeValueTypes={}, encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], signingSignatureWhiteListedAlgorithms=[], signingSignatureCanonicalizationAlgorithm=null, encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])] using algorithm [RSA]
cas_1 | DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver] Resolving credentials from metadata using entityID: https://login.umcs.pl/cas/idp/metadata, role: {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: null, usage: SIGNING
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Located metadata root element [EntityDescriptor]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Initializing metadata resolver [SamlIdPMetadataResolver]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], EntityRoleCriterion [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1001, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, ticketGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=999, usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, displayName, givenName, sn, eduPersonScopedAffiliation]), entityAttribute=null, entityAttributeFormat=null, entityAttributeValues=[]), EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, attribute=uidNumber)], mergingPolicy=replace, order=0), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), properties={}, contacts=[]), metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, metadataProxyLocation=null, metadataMaxValidity=0, requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, metadataCriteriaPattern=null, requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, metadataSignatureLocation=null, logoutResponseBinding=null, requireSignedRoot=true, serviceProviderNameIdQualifier=null, nameIdQualifier=null, metadataExpirationDuration=PT60M, signingCredentialFingerprint=null, issuerEntityId=null, signingKeyAlgorithm=null, signAssertions=false, signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, skipGeneratingSubjectConfirmationInResponseTo=false, skipGeneratingSubjectConfirmationNotOnOrAfter=false, skipGeneratingSubjectConfirmationRecipient=false, skipGeneratingSubjectConfirmationNotBefore=true, skipGeneratingSubjectConfirmationNameId=true, skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, signResponses=true, encryptAssertions=false, encryptAttributes=false, encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, metadataCriteriaRemoveEmptyEntitiesDescriptors=true, metadataCriteriaRemoveRolelessEntityDescriptors=true, signingCredentialType=null, assertionAudiences=null, skewAllowance=0, whiteListBlackListPrecedence=null, attributeNameFormats={}, attributeFriendlyNames={}, attributeValueTypes={}, encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], signingSignatureWhiteListedAlgorithms=[], signingSignatureCanonicalizationAlgorithm=null, encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), SignatureSigningConfigurationCriterion [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not contain any EntityDescriptors with the ID: https://login.umcs.pl/cas/idp/metadata
cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via EntityIdCriterion: EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]
cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, nothing to filter via predicates
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Located metadata root element [EntityDescriptor]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Initializing metadata resolver [SamlIdPMetadataResolver]
cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], EntityRoleCriterion [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1001, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, ticketGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=999, usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, displayName, givenName, sn, eduPersonScopedAffiliation]), entityAttribute=null, entityAttributeFormat=null, entityAttributeValues=[]), EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, attribute=uidNumber)], mergingPolicy=replace, order=0), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), properties={}, contacts=[]), metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, metadataProxyLocation=null, metadataMaxValidity=0, requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, metadataCriteriaPattern=null, requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, metadataSignatureLocation=null, logoutResponseBinding=null, requireSignedRoot=true, serviceProviderNameIdQualifier=null, nameIdQualifier=null, metadataExpirationDuration=PT60M, signingCredentialFingerprint=null, issuerEntityId=null, signingKeyAlgorithm=null, signAssertions=false, signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, skipGeneratingSubjectConfirmationInResponseTo=false, skipGeneratingSubjectConfirmationNotOnOrAfter=false, skipGeneratingSubjectConfirmationRecipient=false, skipGeneratingSubjectConfirmationNotBefore=true, skipGeneratingSubjectConfirmationNameId=true, skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, signResponses=true, encryptAssertions=false, encryptAttributes=false, encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, metadataCriteriaRemoveEmptyEntitiesDescriptors=true, metadataCriteriaRemoveRolelessEntityDescriptors=true, signingCredentialType=null, assertionAudiences=null, skewAllowance=0, whiteListBlackListPrecedence=null, attributeNameFormats={}, attributeFriendlyNames={}, attributeValueTypes={}, encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], signingSignatureWhiteListedAlgorithms=[], signingSignatureCanonicalizationAlgorithm=null, encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), SignatureSigningConfigurationCriterion [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not contain any EntityDescriptors with the ID: https://login.umcs.pl/cas/idp/metadata
cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via EntityIdCriterion: EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]
cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, nothing to filter via predicates
cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] Resolved no EntityDescriptors via underlying MetadataResolver, returning empty collection
cas_1 | ERROR [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Unable to locate any signing credentials for service [aai_pionier_net_pl_test]

[Pablo Vidaurri]

Any solution or work around for this? Gettign the same issue on CAS 6.3.2. Only way to get it to work is if i set my entityId to be same as hostname which will not work in a production env.

[Marcin Roman]

Entityid in metadata must match entityid in cas properties. 

Use cas 6.3.4 or 6.4. i couldn't get it working with other versions

[Pablo Vidaurri]

Just saw this reply ...

That did not seem to work. I have my sp metata with x509 certs embedded. I have my service definition like the following:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "description": "my super super service",
  "serviceId" : "^https://my.super.duper.svc.com",   <-- entity id of my sp metadata file
  "name" : "super_duper",
  "id" : 20210115134141,
  "evaluationOrder" : 30,
  "metadataLocation" : "file:/apps//cas/metadata/super_duper_metadata.xml",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", [ "firstName","lastName"] ]
  },
  "signAssertions": true,
  "signingCredentialType": X509
}

Still getting error:

Unable to locate any signing credentials for service [super_duper]

Do I need a separate crt somewhere instead of relying on the embbeded cert in the sp metadata?

[Ray Bon]

Pablo,

The signing credentials are yours, not the service. They are not read out of metadata since it requires the key. You set the location with (your cert and key are stored in same location as metadata):

cas.authn.saml-idp.metadata.file-system.location=

Cas will generate the metadata and certs on start up, make sure cas can write to the directory.

https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system

Ray

On Wed, 2022-01-05 at 18:38 -0800, Pablo Vidaurri wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Pablo Vidaurri]

Thanks for replying Ray,

Yes, I have that config and I see crt, keys, and idp-metadata created in it that was auto-generated.

Error seems misleading .... it sounds like it is looking for sp metadata signing credentials.

-psv

[Ray Bon]

Pablo,

Is the aai... service the same as super duper?

The aai... service is configured to have a per service signing / encryption certs (this line in the log: Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001] ).

https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service

If the two services are different, then you will need two idp metadata and two signing and 2 encryption certs (if you are using encryption).

Ray