Delegated Authentication SAML2 : Single EntityID

140 views
Skip to first unread message

wouldsmina

unread,
Jul 9, 2024, 5:11:37 AMJul 9
to CAS Community
Hello,
I want to use identity delegation to allow other IdPs to authenticate a number of my services. I was inspired by this documentation: https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/. But I notice that for each declared IdP, CAS produces different EntityId and metadatas.

The IdPs concerned are part of the EduGain identity federation and I'd like to declare a single SP (for simplicity and to comply with the charter). Do you know if it's possible to configure CAS to create a single EntityId for all declared IdPs?

Best regards,
Wouldsmina

Ray Bon

unread,
Jul 9, 2024, 6:37:29 PMJul 9
to CAS Community
Wouldsmina,

Once your SP metadata is in the specified location, cas will not recreate it.
Are you using a different entityId or key for each IdP? That is not necessary.

Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of wouldsmina <would...@gmail.com>
Sent: 09 July 2024 02:03
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Delegated Authentication SAML2 : Single EntityID
 
You don't often get email from would...@gmail.com. Learn why this is important
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com.

wouldsmina

unread,
Jul 10, 2024, 7:03:59 AMJul 10
to cas-...@apereo.org
Hello Ray,
Thanks for your reply.
Here is an example of what I did:

cas.authn.pac4j.saml[6].keystore-password=password1
cas.authn.pac4j.saml[6].private-key-password=password2
cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/ufra
cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-ufra.xml
cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-ufra.jks
cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth
cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[6].client-name=idpufra
cas.authn.pac4j.saml[6].display-name=UFRA
cas.authn.pac4j.saml[6].logout-request-binding=

cas.authn.pac4j.saml[7].keystore-password=password3
cas.authn.pac4j.saml[7].private-key-password=password4
cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uce
cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-uce.xml
cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-uce.jks
cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php
cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[7].client-name=idpuce
cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador
cas.authn.pac4j.saml[7].logout-request-binding=

cas.authn.pac4j.saml[8].keystore-password=password5
cas.authn.pac4j.saml[8].private-key-password=password6
cas.authn.pac4j.saml[8].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uniandes
cas.authn.pac4j.saml[8].service-provider-metadata-path=/etc/cas/config/sp-metadata-uniandes.xml
cas.authn.pac4j.saml[8].keystore-path=/etc/cas/config/samlKeystore-uniandes.jks
cas.authn.pac4j.saml[8].identity-provider-metadata-path=https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php
cas.authn.pac4j.saml[8].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[8].client-name=idpuniandes
cas.authn.pac4j.saml[8].display-name=UNIANDES
cas.authn.pac4j.saml[8].logout-request-binding=

If I understand what you're proposing, I have to do this:

cas.authn.pac4j.saml[6].keystore-password=password1
cas.authn.pac4j.saml[6].private-key-password=password2
cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all
cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml
cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-all.jks
cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth
cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[6].client-name=idpufra
cas.authn.pac4j.saml[6].display-name=UFRA
cas.authn.pac4j.saml[6].logout-request-binding=

cas.authn.pac4j.saml[7].keystore-password=password1
cas.authn.pac4j.saml[7].private-key-password=password2
cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all
cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml
cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-all.jks
cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php
cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[7].client-name=idpuce
cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador
cas.authn.pac4j.saml[7].logout-request-binding=

Best regards

Ray Bon

unread,
Jul 10, 2024, 3:06:20 PMJul 10
to cas-...@apereo.org
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of wouldsmina <would...@gmail.com>
Sent: 10 July 2024 03:16
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID
 

wouldsmina

unread,
Jul 10, 2024, 4:33:43 PMJul 10
to cas-...@apereo.org
I've tried configuring all the IdPs with the same values (as in the example), but only the first one used works. In the metadata file generated by CAS, I find data specific to the first IdP:
<init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://auth.icoopeb.org/cas/login?client_name=lmu"/>

CAS also generates the saml-signing-cert-lmu.crt saml-signing-cert-lmu.key files, but I don't think that's a problem.  

Thanks for the link, I had seen this documentation, but I don't understand what the json file of  cas.authn.pac4j.core.discovery-selection.json.location should contain. Is there any documentation or an example ?

Wouldsmina.


Ray Bon

unread,
Jul 10, 2024, 11:37:34 PMJul 10
to cas-...@apereo.org
wouldsmina,

Are you getting a menu of IdPs to select from, or does cas always default to cas.authn.pac4j.saml[0]
At the bottom of the cas doc page are a set of tabs 'MENU', 'DYMANIC', 'CUSTOM'. Dynamic has example JSON. If you want a menu, you could try creating a list of IdP entityId's in a JSON file. (We are only beginning with using cas for SAML, so I am doing a bit of guessing.)

RequestInitiator is optional, you can remove it from metadata.
SP do not usually need the signing cert.

Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of wouldsmina <would...@gmail.com>
Sent: 10 July 2024 12:58

Michal Voců

unread,
Jul 11, 2024, 4:06:31 AMJul 11
to cas-...@apereo.org, Ray Bon
Ray,
  if I understand this correctly, the MENU and other methods only present (or select from) IdPs explicitly defined and configured in CAS properties? Meaning, if we configure single delegation to SAML2 IdP and point it to metadata of all our federation IdPs, only the first IdP is used by CAS server and only the first one is presented by CAS internal MENU discovery method, right? And should we need to delegate to more federation IdPs, all of them must be added to CAS server properties?

Regards,

Michal V.

wouldsmina

unread,
Jul 11, 2024, 4:06:31 AMJul 11
to cas-...@apereo.org
Hello Ray,

I get a menu with all the IdPs, I can authenticate on the IdPs, the SAML response returns to the CAS server, but it returns an error if it's not a response from the first IdP.
Here is the authentication page: https://auth.icoopeb.org/cas/login (for the moment, this CAS is not declared on other IdPs apart from the first).

I'm going to continue testing, and if I find the right configuration, I'll put it here for information. Thanks for your advice.

Wouldsmina.

Petr Fišer

unread,
Jul 11, 2024, 4:06:32 AMJul 11
to cas-...@apereo.org
Hello,
I am pretty sure the one entityid for all the IdP references will not work. I did a bit of experimenting on 6.5.x and it works like this:

1) user selects a delegated IdP from the menu
2) cas/pac4j/? looks up the entityid that is associated with it in the properties
3) opensaml library goes through its metadata cache and selects metadata document where there is the same entityid as in step 2.
4) this way, the correct IdP metadata has been found and the authentication process follows what is written in them
5) ... saml2 auth process ... etc.

So no wonder only the first one works.

Cheers,
Fiisch

wouldsmina

unread,
Jul 11, 2024, 8:10:58 AMJul 11
to cas-...@apereo.org
I tried various modifications, but all ended in failure. You're right Fiisch, it only seems to work with independently declared identity providers.

Thank you for your help. I will try to find another solution to my problem.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/55a23229-2e59-432a-bc17-1f44db253ecc%40gmail.com.

Ray Bon

unread,
Jul 11, 2024, 1:54:53 PM (14 days ago) Jul 11
to cas-...@apereo.org
wouldsmina,

Your cas SP must​ be known to any IdP you want to authenticate with. If your cas SP metadata is in eduGAIN, that would be enough; otherwise you will have to send it to each IdP you want to interact with, which is much more work.

Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of wouldsmina <would...@gmail.com>
Sent: 11 July 2024 00:43

Ray Bon

unread,
Jul 11, 2024, 1:54:53 PM (14 days ago) Jul 11
to Michal Voců, cas-...@apereo.org
Michal,

Hmmm, you could create a custom discovery service that could pull the IdPs out or the federation metadata. Better would be if the federation provided the discovery service (or some other third party).

Ray
From: Michal Voců <micha...@gmail.com>
Sent: 10 July 2024 23:53
To: cas-...@apereo.org <cas-...@apereo.org>; Ray Bon <rb...@uvic.ca>

Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID
 
You don't often get email from micha...@gmail.com. Learn why this is important

wouldsmina

unread,
Jul 12, 2024, 8:07:27 AM (13 days ago) Jul 12
to cas-...@apereo.org
Ray,

Yes, that's what I was going to do, but as CAS generates one SP per IdP to be authorised, I would need one SP per IdP in eduGain, which is contrary to the charter and not very useful. I'm going to try and see if the institutions concerned (there are 8) can modify their IdPs to authorise my CAS, but I'm afraid they don't have the necessary control and/or skills. Colleagues have advised me to try KeyCloak, but I'm the one who doesn't have the necessary skills yet.

Best regards,
Wouldsmina


Michal Voců

unread,
Jul 12, 2024, 8:07:27 AM (13 days ago) Jul 12
to Ray Bon, cas-...@apereo.org
Ray,
   I am familiar with the documentation you refer to, but I think that there is no client for external discovery service (as specified by http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery-cs-01.pdf) implemented in CAS. All of the methods for choosing specific IdP (or rather SAML2 client) to delegate authentication to (be it MENU, DYNAMIC or even the SAML Discovery implemented in CAS server) work only with clients configured explicitly in CAS properties.

At least for CAS version 6.6.x, from the implementation point of view, it seems to me that input to all selection methods is taken through the bean "builtClients", which proxies to "pac4jDelegatedClientFactory", bulk of which is implemented by "BaseDelegatedClientFactory" (https://github.com/apereo/cas/blob/6.6.x/support/cas-server-support-pac4j-core-clients/src/main/java/org/apereo/cas/support/pac4j/authentication/clients/BaseDelegatedClientFactory.java).

So the question is: is single SAML2 client configured in the CAS server able to delegate to and process assertions from different IdPs?

Thanks,

Michal

Ray Bon

unread,
Jul 13, 2024, 12:46:56 AM (12 days ago) Jul 13
to cas-...@apereo.org
Michal, Wouldsmina,

I see there are differences in the docs between 6.6 and 7.0. 

In docs I see this:
Note that you can use more than one external identity provider with CAS, where each integration may be done with a different set of metadata and keys for CAS acting as the service provider

This is an odd statement given the whole point of federation. It may be so because a cas client [application] can only connect to one cas authn server. See this for an explanation of how cas handles different protocols and delegation https://fawnoos.com/2018/02/26/cas-delegation-protocols/

This page https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-SAML-Discovery.html has a link to the shibboleth embedded discovery service https://shibboleth.atlassian.net/wiki/spaces/EDS10/overview which may be different than what is provided through geant.

I think discovery service is the best option. It allows for a possibly external list of IdPs, but not limited to the target service nor a 1 to 1 dependence on cas metadata(s).

Ray


From: cas-...@apereo.org <cas-...@apereo.org> on behalf of wouldsmina <would...@gmail.com>
Sent: 12 July 2024 03:42
Reply all
Reply to author
Forward
0 new messages