Following up my own post to document how we solved this for posterity (or at least for the next person who has the problem and searches the forum).
The SAML2 spec says that by default, the audience should be set to the value of the entityID. And sure enough, that's what CAS is sending back. This morning I remembered that although the CONVENTION is to use the SP's URL as the entityID, that's not actually a requirement. So... I edited the Workday SP metadata (which Workday doesn't provide anyway; you have to create your own) and changed the entityID from https://impl.workday.com/xxxxx to http://www.workday.com/xxxxx This is not a valid URL, but it starts with "http://www.workday.com"; like Workday wants for the audience. I also changed the CAS service registry entry to look for the new entityID. I did NOT change the URL further down in the metadata where the AssertionConsumerService is specified. It's still set to a real, functional URL: https://impl.workday.com/xxxxx/login-saml.htmld So now, the CAS IdP will still post the results to the AssertionConsumerService URL, but it will set the audience restriction to the entityID, which now looks like what Workday wants, and Workday is a happy camper. Not sure if this will work in all cases, but it seems to have worked in this one. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] [image: The New School] On Tue, Mar 13, 2018 at 3:34 PM, <[email protected]> wrote: > We are trying to configure our Workday Preview tenant to authenticate via > SAML2 to a CAS 5.2.2 IdP. > > In the management webapp, we have defined a "SAML2 Service Provider" > service. The EntityID is set to: > > https://impl.workday.com/xxxxx > > > which matches the EntityID in the SP's metadata. When we try to log in to > Workday, we receive this error from the Workday side: > > Invalid Audience in SAML token: URL should start with > http://www.workday.com, or end with /xxxxx/login-saml.htmld > > > The string they're saying it should end with is the tenant name ("xxxxx") > and the name of the web page (login-saml.htmld) that is listed in the > metadata as the AssertionConsumerService. However, CAS is sending back > the EntityID as the audience: > > <saml2:Conditions NotBefore="2018-03-13T16:39:12.776Z" > NotOnOrAfter="2018-03-13T16:39:17.776Z"> > <saml2:AudienceRestriction> > <saml2:Audience>https://impl.workday.com/xxxxx</saml2: > Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > > which appears to be correct behavior in the normal (non-Workday) world. > > On our old CAS 3.5.x/Shibboleth 2.4.0 setup (which the same Workday tenant > works successfully with), we had to add a line in the relying party profile > configuration (in relying-party.xml) to address this: > > <saml:Audience>http://www.workday.com</saml:Audience> > > > which results in the SAML2 response sent back to Workday containing two > audiences: > > <saml2:Conditions NotBefore="2018-03-13T13:44:01.503Z" > NotOnOrAfter="2018-03-13T13:49:01.503Z"> > <saml2:AudienceRestriction> > <saml2:Audience>https://impl.workday.com/xxxxx</saml2: > Audience> > <saml2:Audience>http://www.workday.com</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > > However, I don't see any way to perform the equivalent, either through the > management webapp's user interface or by editing the service registry > manually. And I don't see anything in the documentation or searching the > code on GitHub. > > We are NOT using the cas-server-support-saml-sp-integrations > dependency.... should we be? > > Does anyone have CAS 5.2.x SAML IdP working with Workday, especially a > sandbox/implementation/preview tenant? > > Any ideas (even crazy ones) gladly accepted... > > Thanks, > --Dave > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/93ff6e18-8090-4664-b84f- > a01702cbf053%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/93ff6e18-8090-4664-b84f-a01702cbf053%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPyFz94DPm3HvniQEOHUsZL-4qeJbzeV%3DPW614nj3zMOg%40mail.gmail.com.
