We are trying to configure our Workday Preview tenant to authenticate via SAML2 to a CAS 5.2.2 IdP.
In the management webapp, we have defined a "SAML2 Service Provider" service. The EntityID is set to: https://impl.workday.com/xxxxx which matches the EntityID in the SP's metadata. When we try to log in to Workday, we receive this error from the Workday side: Invalid Audience in SAML token: URL should start with http://www.workday.com, or end with /xxxxx/login-saml.htmld The string they're saying it should end with is the tenant name ("xxxxx") and the name of the web page (login-saml.htmld) that is listed in the metadata as the AssertionConsumerService. However, CAS is sending back the EntityID as the audience: <saml2:Conditions NotBefore="2018-03-13T16:39:12.776Z" NotOnOrAfter="2018-03-13T16:39:17.776Z"> <saml2:AudienceRestriction> <saml2:Audience>https://impl.workday.com/xxxxx</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> which appears to be correct behavior in the normal (non-Workday) world. On our old CAS 3.5.x/Shibboleth 2.4.0 setup (which the same Workday tenant works successfully with), we had to add a line in the relying party profile configuration (in relying-party.xml) to address this: <saml:Audience>http://www.workday.com</saml:Audience> which results in the SAML2 response sent back to Workday containing two audiences: <saml2:Conditions NotBefore="2018-03-13T13:44:01.503Z" NotOnOrAfter="2018-03-13T13:49:01.503Z"> <saml2:AudienceRestriction> <saml2:Audience>https://impl.workday.com/xxxxx</saml2:Audience> <saml2:Audience>http://www.workday.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> However, I don't see any way to perform the equivalent, either through the management webapp's user interface or by editing the service registry manually. And I don't see anything in the documentation or searching the code on GitHub. We are NOT using the cas-server-support-saml-sp-integrations dependency.... should we be? Does anyone have CAS 5.2.x SAML IdP working with Workday, especially a sandbox/implementation/preview tenant? Any ideas (even crazy ones) gladly accepted... Thanks, --Dave -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/93ff6e18-8090-4664-b84f-a01702cbf053%40apereo.org.
