Ray, Thank you very much for your answer! I just found out that the real problem was that the *idp-metadata.xml* had expired. The validUntil="2021-12-30T15:55:*49Z" *in the xml was indicating a passed date. I changed that and now it works! I think that the error message from CAS could be more precise in this case, as when I read that CAS was "*Unable to locate any signing credentials for service [Mi cool service]*", I thought it wasn't even seeing the file.
And regarding the change of location you mention, I found this property that seems to change the location of saml data (should go in the cas.properties file): cas.authn.saml-idp.metadata.file-system.location=file:/etc/cas/saml I haven't tried it myself, but it may work. The part of the docs where it mentions that is here -> https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system Regards, El mar, 1 feb 2022 a las 14:21, Ray Bon (<[email protected]>) escribió: > Agustín, > > Cas needs access to your certificates as well. > My certificates are in the same directory as the metadata. They are > idp-signing.crt > idp-signing.key > idp-encryption.crt > idp-encryption.key > > Cas creates them when it creates metadata. > I assume that 'My Signing Cert' is a stand in for the actual cert. Just > make sure it matches the file above. > > I could not find anything in the docs to change the location of the > certificates. I would prefer to have my keys in a different directory. > > Ray > > On Tue, 2022-02-01 at 07:34 -0800, Agustín Ezequiel Pereyra wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hello, > > When I configure Apereo CAS version 6.4.5 to act as an IdP for the SAML2 > protocol, I get a weird error. If I don't create the directory > */etc/cas/saml*, and leave CAS free to handle the creation of the > idp-metadata.xml file, it works fine. But if I try to use my own > *idp-metadata.xml > *file, and put it at */etc/cas/saml*, I get the error: > > *2022-02-01 11:59:29,715 ERROR > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > - <Unable to locate any signing credentials for service [Mi cool service]>* > > I have verified my metadata file with this site: > https://www.samltool.com/validate_xml.php, and seems to be correct. I put > it down here in case it is useful, changing sensible names and that stuff: > > > <?xml version="1.0"?> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" > validUntil="2021-12-30T15:55:49Z" cacheDuration="PT1641311749S" entityID=" > http://mycas.com/cas/idp/metadata";> > <md:IDPSSODescriptor WantAuthnRequestsSigned="true" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > <md:Extensions> > <mdui:UIInfo> > <mdui:DisplayName xml:lang="en">My Site</mdui:DisplayName> > <mdui:Description xml:lang="en">The identity provider at My > Site</mdui:Description> > <mdui:Logo height="32" width="32" xml:lang="en">https://logo_url > </mdui:Logo> > </mdui:UIInfo> > </md:Extensions> > <md:KeyDescriptor use="signing"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate>My Signing Cert</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </md:KeyDescriptor> > <md:KeyDescriptor use="encryption"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate>My Encription Cert</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </md:KeyDescriptor> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://mycas.com/cas/idp/profile/SAML2/POST/SLO"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > http://mycas.com/cas/logout"/> > > <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://mycas.com/cas/idp/profile/SAML2/POST/SSO"/> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" > Location="http://mycas.com/cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=" > http://mycas.com/cas/idp/profile/SAML2/SOAP/ECP"/> > <md:SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > http://mycas.com/cas/login"/> > </md:IDPSSODescriptor> > <md:Organization> > <md:OrganizationName xml:lang="en-US">Organization > Name</md:OrganizationName> > <md:OrganizationDisplayName > xml:lang="en-US">Name</md:OrganizationDisplayName> > <md:OrganizationURL xml:lang="en-US">https://mysite.com > </md:OrganizationURL> > </md:Organization> > <md:ContactPerson contactType="administrative"> > <md:GivenName>Some Guy</md:GivenName> > <md:EmailAddress>mailto:[email protected]</md:EmailAddress> > </md:ContactPerson> > <md:ContactPerson contactType="technical"> > <md:GivenName>Other Guy</md:GivenName> > <md:EmailAddress>[email protected]</md:EmailAddress> > </md:ContactPerson> > <md:ContactPerson contactType="support"> > <md:GivenName>Another One</md:GivenName> > <md:EmailAddress>[email protected]</md:EmailAddress> > </md:ContactPerson> > </md:EntityDescriptor> > Do you have any idea of what could be the problem? > > Thanks > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/8287362dd17173adfa671a5ceef15817ec7b2b23.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8287362dd17173adfa671a5ceef15817ec7b2b23.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGUdYrSfsxyfjm2Q5gfCU9Rz0fp%2BtBF1iaSCf6dBYx7j9Y_Hew%40mail.gmail.com.
