I'm working on getting CAS 5.3 SAML2 IdP working with Workday, but not making much progress. Workday says the metadata file isn't required, but I can't see anyway to set it up with out one. Can you give more details on how you go this to work?
Thanks On Tuesday, March 13, 2018 at 2:34:16 PM UTC-5, [email protected] wrote: > > We are trying to configure our Workday Preview tenant to authenticate via > SAML2 to a CAS 5.2.2 IdP. > > In the management webapp, we have defined a "SAML2 Service Provider" > service. The EntityID is set to: > > https://impl.workday.com/xxxxx > > > which matches the EntityID in the SP's metadata. When we try to log in to > Workday, we receive this error from the Workday side: > > Invalid Audience in SAML token: URL should start with > http://www.workday.com, or end with /xxxxx/login-saml.htmld > > > The string they're saying it should end with is the tenant name ("xxxxx") > and the name of the web page (login-saml.htmld) that is listed in the > metadata as the AssertionConsumerService. However, CAS is sending back > the EntityID as the audience: > > <saml2:Conditions NotBefore="2018-03-13T16:39:12.776Z" > NotOnOrAfter="2018-03-13T16:39:17.776Z"> > <saml2:AudienceRestriction> > <saml2:Audience>https://impl.workday.com/xxxxx > </saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > > which appears to be correct behavior in the normal (non-Workday) world. > > On our old CAS 3.5.x/Shibboleth 2.4.0 setup (which the same Workday tenant > works successfully with), we had to add a line in the relying party profile > configuration (in relying-party.xml) to address this: > > <saml:Audience>http://www.workday.com</saml:Audience> > > > which results in the SAML2 response sent back to Workday containing two > audiences: > > <saml2:Conditions NotBefore="2018-03-13T13:44:01.503Z" > NotOnOrAfter="2018-03-13T13:49:01.503Z"> > <saml2:AudienceRestriction> > <saml2:Audience>https://impl.workday.com/xxxxx > </saml2:Audience> > <saml2:Audience>http://www.workday.com</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > > However, I don't see any way to perform the equivalent, either through the > management webapp's user interface or by editing the service registry > manually. And I don't see anything in the documentation or searching the > code on GitHub. > > We are NOT using the cas-server-support-saml-sp-integrations > dependency.... should we be? > > Does anyone have CAS 5.2.x SAML IdP working with Workday, especially a > sandbox/implementation/preview tenant? > > Any ideas (even crazy ones) gladly accepted... > > Thanks, > --Dave > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/998a97d5-c952-4c81-8593-4da80388959b%40apereo.org.
