Have you tried: cas.authn.saml-idp.metadata.file-system.location=file:/somedir/somesubdir/saml
I have my idp certs/keys in location defined above. Note prior to 6.4.5 the key is simply cas.authn.saml-idp.metadata.location I have another metadata folder where I keep my metadata and in my services I point to this metadata folder @Agustin, also make sure you have property below with a value that is fitting for you. cas.authn.saml-idp.core.entity-id=https://sso-idp.mydomain.com/idp/saml On Tuesday, February 1, 2022 at 11:21:41 AM UTC-6 Ray Bon wrote: > Agustín, > > Cas needs access to your certificates as well. > My certificates are in the same directory as the metadata. They are > idp-signing.crt > idp-signing.key > idp-encryption.crt > idp-encryption.key > > Cas creates them when it creates metadata. > I assume that 'My Signing Cert' is a stand in for the actual cert. Just > make sure it matches the file above. > > I could not find anything in the docs to change the location of the > certificates. I would prefer to have my keys in a different directory. > > Ray > > On Tue, 2022-02-01 at 07:34 -0800, Agustín Ezequiel Pereyra wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hello, > > When I configure Apereo CAS version 6.4.5 to act as an IdP for the SAML2 > protocol, I get a weird error. If I don't create the directory > */etc/cas/saml*, and leave CAS free to handle the creation of the > idp-metadata.xml file, it works fine. But if I try to use my own > *idp-metadata.xml > *file, and put it at */etc/cas/saml*, I get the error: > > *2022-02-01 11:59:29,715 ERROR > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Unable to locate any signing credentials for service [Mi cool service]>* > > I have verified my metadata file with this site: > https://www.samltool.com/validate_xml.php, and seems to be correct. I put > it down here in case it is useful, changing sensible names and that stuff: > > > <?xml version="1.0"?> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" > validUntil="2021-12-30T15:55:49Z" cacheDuration="PT1641311749S" entityID=" > http://mycas.com/cas/idp/metadata";> > <md:IDPSSODescriptor WantAuthnRequestsSigned="true" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > <md:Extensions> > <mdui:UIInfo> > <mdui:DisplayName xml:lang="en">My Site</mdui:DisplayName> > <mdui:Description xml:lang="en">The identity provider at My > Site</mdui:Description> > <mdui:Logo height="32" width="32" xml:lang="en">https://logo_url > </mdui:Logo> > </mdui:UIInfo> > </md:Extensions> > <md:KeyDescriptor use="signing"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate>My Signing Cert</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </md:KeyDescriptor> > <md:KeyDescriptor use="encryption"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate>My Encription Cert</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </md:KeyDescriptor> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://mycas.com/cas/idp/profile/SAML2/POST/SLO"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > http://mycas.com/cas/logout"/> > > <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://mycas.com/cas/idp/profile/SAML2/POST/SSO"/> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" > Location="http://mycas.com/cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=" > http://mycas.com/cas/idp/profile/SAML2/SOAP/ECP"/> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > http://mycas.com/cas/login"/> > </md:IDPSSODescriptor> > <md:Organization> > <md:OrganizationName xml:lang="en-US">Organization > Name</md:OrganizationName> > <md:OrganizationDisplayName > xml:lang="en-US">Name</md:OrganizationDisplayName> > <md:OrganizationURL xml:lang="en-US">https://mysite.com > </md:OrganizationURL> > </md:Organization> > <md:ContactPerson contactType="administrative"> > <md:GivenName>Some Guy</md:GivenName> > <md:EmailAddress>mailto:[email protected]</md:EmailAddress> > </md:ContactPerson> > <md:ContactPerson contactType="technical"> > <md:GivenName>Other Guy</md:GivenName> > <md:EmailAddress>[email protected]</md:EmailAddress> > </md:ContactPerson> > <md:ContactPerson contactType="support"> > <md:GivenName>Another One</md:GivenName> > <md:EmailAddress>[email protected]</md:EmailAddress> > </md:ContactPerson> > </md:EntityDescriptor> > Do you have any idea of what could be the problem? > > Thanks > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17393553-0c37-4fbb-b7ac-565eaf049133n%40apereo.org.
