Logout requests should be signed as a best practice. This should be done on the SP. If you can not get the SP to sign, there are IdP settings to turn it off, https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml-logout
Ray On Wed, 2021-07-28 at 11:10 +0800, cheekian yap wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Ray, Thanks for info. It turns out cas cannot create certificates because I did not set the right entity id in idp configuration. After fixing that, I managed to get SSO working with elasticsearch. However, upon logging out from elasticsearch, I got another error message saying "Error: Logout request is not signed but should be." Is this because of misconfiguration on SP or Idp side? Ray Bon <[email protected]<mailto:[email protected]>> 於 2021年7月23日 週五 下午11:42寫道: Your error is about signing credentials for the IdP. Cas should create metadata and certificates. Perhaps cas is unable to write into the default directory, /etc/cas If this is a just a POC, you could turn off signing. See service config here, https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html Ray On Thu, 2021-07-22 at 20:47 -0700, cheekian yap wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I'm doing a POC to integrate elastic cloud with apereo using SAML2 protocol. Here is my service registry configuration: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "^https://yyy.kb.ap-northeast-1.aws.found.io.*";, "name" : "ElasticsearchSAMLService", "id" : 2, "evaluationOrder" : 2, "metadataLocation" : "file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml", "issuerEntityId": "https://cas.sinlead.com/cas/idp"; } I'm able to redirect from kibana to apereo login page. However, after authenticate myself, I got an 500 Internal server error page. Here is the application log: 2021-07-23 11:39:49,831 INFO [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml]. Filtering the chain by entity ID [https://yyy.kb.ap-northeast-1.aws.found.io:9243/]> 2021-07-23 11:39:49,834 INFO [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml]. Filtering the chain by entity ID [https://yyy.kb.ap-northeast-1.aws.found.io:9243/]> 2021-07-23 11:39:49,886 ERROR [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] - <Unable to locate any signing credentials for service [ElasticsearchSAMLService]> 2021-07-23 11:39:49,889 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: Unable to locate signing credentials ACTION: SAML2_RESPONSE_CREATED APPLICATION: CAS WHEN: Fri Jul 23 11:39:49 CST 2021 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 I was wondering what did I do wrong. I pretty sure the file path is correct. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfa0907cefb07b217b45332bcdfaa677ee4aed15.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfa0907cefb07b217b45332bcdfaa677ee4aed15.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4bfbe290bb4cad2029a112af6e51c73f3f81564.camel%40uvic.ca.
