> But I am not sure if this is needed - but CAS loads it successfully on boot.
At least in CAS 5, SAML2 will not work if you do not have that service. I don't know if CAS 6 still requires it, but I would assume that it does unless you can find something that says it doesn't. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • [email protected] On Thu, Jun 6, 2019 at 10:41 AM Fabian Schipp <[email protected]> wrote: > There is one more service called SAML2CallbackProfile wich was suggested > in a tutorial: > > https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html#create-a-service-definition-for-the-idp-endpoint > > { > /* > * The CAS SAML IdP creates this endpoint as part of its initialization > * process at server startup time. If the service registry doesn't > already > * contain an entry whose serviceId matches the endpoint, CAS will create > * a new service definition and save it to the registry. If the CAS > server > * doesn't have write access to the registry, then the save will fail and > * the server will not start. > * > * To avoid that situation, and to make it clear that this endpoint is a > * "desired" service, it is defined explicitly here. > */ > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "https:// > <CAS-URL>/cas/idp/profile/SAML2/Callback.+", > "name" : "SAML Authentication Request", > "id" : 1558621367337136, > "evaluationOrder" : 100 > } > > > > But I am not sure if this is needed - but CAS loads it successfully on > boot. > > Is there any other simplistic service I could try to see if CAS loads > anything correct? > > On Thursday, June 6, 2019 at 4:21:04 PM UTC+2, Matthew Uribe wrote: >> >> OK. So if root is running CAS, and root owns the json file, then that >> part should be fine. Do you have any other services registered that CAS is >> reading correctly? >> >> On Thursday, June 6, 2019 at 7:54:52 AM UTC-6, Fabian Schipp wrote: >>> >>> I am running the .war overlay. therefore I have no tomcat user. >>> But I checked the file, it's owned by the root user. >>> I then checked the process running the war file environment in the jdk >>> folder - it is also the root user. >>> >>> Am Donnerstag, 6. Juni 2019 15:37:05 UTC+2 schrieb Matthew Uribe: >>>> >>>> Is the devConfluence-1558621301329267.json file readable for whatever >>>> user/service is running CAS? When I forget to change ownership of my json >>>> files to the tomcat user, I run into the same issue. >>>> >>>> >>>> On Thursday, June 6, 2019 at 7:06:50 AM UTC-6, Fabian Schipp wrote: >>>>> >>>>> Hi everyone, >>>>> >>>>> I am currently trying to connect Confluence as SAML SP with a CAS 6 >>>>> instance. >>>>> CAS Server on its own is running fine. I added a SAML service I >>>>> created using the docs chapter on SAML services: >>>>> >>>>> https://apereo.github.io/cas/6.0.x/installation/Configuring-SAML2-Authentication.html#saml-services >>>>> >>>>> My SAML service: >>>>> { >>>>> "@class" : >>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService", >>>>> "serviceId" : "https://<CONFLUENCE_DOMAIN>/ >>>>> plugins/servlet/samlsso", >>>>> "name" : "dev Confluence Application", >>>>> "id" : 1558621301329267, >>>>> "metadataLocation" : "https:// >>>>> <CONFLUENCE_DOMAIN>/plugins/servlet/samlsso/metadata", >>>>> "evaluationOrder" : 10 >>>>> } >>>>> >>>>> But CAS does load the service but it looks like it is malformed in >>>>> some way. >>>>> >>>>> I checked some things that might have gone wrong: >>>>> - the metadata-URL does link to the correct metadata of the SP >>>>> - the serviceId matches the corresponding URL from the confluence >>>>> system >>>>> - the id field matches the name of the service-filename (it is called >>>>> devConfluence-1558621301329267.json) >>>>> >>>>> The output I get is this: >>>>> 2019-06-06 14:56:58,002 DEBUG >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <Located issuer [https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso] >>>>> from authentication request> >>>>> >>>>> 2019-06-06 14:56:58,004 DEBUG >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <Checking service access in CAS service registry for >>>>> [AbstractWebApplicationService(id=https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso, >>>>> originalUrl=https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso, >>>>> artifactId=null, principal=null, source=null, loggedOutAlready=false, >>>>> format=XML, attributes={})]> >>>>> >>>>> 2019-06-06 14:56:58,024 WARN >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <[https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso] is not found >>>>> in the registry or service access is denied. Ensure service is registered >>>>> in service registry> >>>>> >>>>> So there is another service registry I have to register my service in? >>>>> Are there any more fields that are mandatory to include in the >>>>> service? If so I can't find the correct pafe on the docs that says so. >>>>> >>>>> I am realy lost on this one. Any help is appreciated. >>>>> >>>>> Thank you very much. >>>>> >>>> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/8dd6b366-77b8-4d1e-9bec-4a97063efcdc%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8dd6b366-77b8-4d1e-9bec-4a97063efcdc%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPcLMbVNMRMUB6HV0uPZDCvxBBp4b0W1aBVaw2vZwws2Q%40mail.gmail.com.
