Thank you for your answer Pablo. I haven't tried that, but in the end it wasn't necessary, as my mistake was that the *validUntil* field in the metadata file was set to a date in the past. I just changed that to match a future date, and it worked.
Thanks for pointing out the use of *cas.authn.saml-idp.core.entity-id= *and *cas.authn.saml-idp.metadata.file-system.location=*, I will take them into account in the future El mar, 1 feb 2022 a las 14:59, Pablo Vidaurri (<[email protected]>) escribió: > Have you tried: > > cas.authn.saml-idp.metadata.file-system.location=file:/somedir/somesubdir/saml > > I have my idp certs/keys in location defined above. Note prior to 6.4.5 > the key is simply cas.authn.saml-idp.metadata.location > I have another metadata folder where I keep my metadata and in my > services I point to this metadata folder > > @Agustin, also make sure you have property below with a value that is > fitting for you. > cas.authn.saml-idp.core.entity-id=https://sso-idp.mydomain.com/idp/saml > On Tuesday, February 1, 2022 at 11:21:41 AM UTC-6 Ray Bon wrote: > >> Agustín, >> >> Cas needs access to your certificates as well. >> My certificates are in the same directory as the metadata. They are >> idp-signing.crt >> idp-signing.key >> idp-encryption.crt >> idp-encryption.key >> >> Cas creates them when it creates metadata. >> I assume that 'My Signing Cert' is a stand in for the actual cert. Just >> make sure it matches the file above. >> >> I could not find anything in the docs to change the location of the >> certificates. I would prefer to have my keys in a different directory. >> >> Ray >> >> On Tue, 2022-02-01 at 07:34 -0800, Agustín Ezequiel Pereyra wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> Hello, >> >> When I configure Apereo CAS version 6.4.5 to act as an IdP for the SAML2 >> protocol, I get a weird error. If I don't create the directory >> */etc/cas/saml*, and leave CAS free to handle the creation of the >> idp-metadata.xml file, it works fine. But if I try to use my own >> *idp-metadata.xml >> *file, and put it at */etc/cas/saml*, I get the error: >> >> *2022-02-01 11:59:29,715 ERROR >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] >> - <Unable to locate any signing credentials for service [Mi cool service]>* >> >> I have verified my metadata file with this site: >> https://www.samltool.com/validate_xml.php, and seems to be correct. I >> put it down here in case it is useful, changing sensible names and that >> stuff: >> >> >> <?xml version="1.0"?> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" >> validUntil="2021-12-30T15:55:49Z" cacheDuration="PT1641311749S" entityID=" >> http://mycas.com/cas/idp/metadata";> >> <md:IDPSSODescriptor WantAuthnRequestsSigned="true" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> <md:Extensions> >> <mdui:UIInfo> >> <mdui:DisplayName xml:lang="en">My Site</mdui:DisplayName> >> <mdui:Description xml:lang="en">The identity provider at My >> Site</mdui:Description> >> <mdui:Logo height="32" width="32" xml:lang="en">https://logo_url >> </mdui:Logo> >> </mdui:UIInfo> >> </md:Extensions> >> <md:KeyDescriptor use="signing"> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:X509Data> >> <ds:X509Certificate>My Signing Cert</ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </md:KeyDescriptor> >> <md:KeyDescriptor use="encryption"> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:X509Data> >> <ds:X509Certificate>My Encription Cert</ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </md:KeyDescriptor> >> <md:SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >> http://mycas.com/cas/idp/profile/SAML2/POST/SLO"/> >> <md:SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" >> http://mycas.com/cas/logout"/> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> >> <md:SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >> http://mycas.com/cas/idp/profile/SAML2/POST/SSO"/> >> <md:SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" >> Location="http://mycas.com/cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> >> <md:SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=" >> http://mycas.com/cas/idp/profile/SAML2/SOAP/ECP"/> >> <md:SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" >> http://mycas.com/cas/login"/> >> </md:IDPSSODescriptor> >> <md:Organization> >> <md:OrganizationName xml:lang="en-US">Organization >> Name</md:OrganizationName> >> <md:OrganizationDisplayName >> xml:lang="en-US">Name</md:OrganizationDisplayName> >> <md:OrganizationURL xml:lang="en-US">https://mysite.com >> </md:OrganizationURL> >> </md:Organization> >> <md:ContactPerson contactType="administrative"> >> <md:GivenName>Some Guy</md:GivenName> >> <md:EmailAddress>mailto:[email protected]</md:EmailAddress> >> </md:ContactPerson> >> <md:ContactPerson contactType="technical"> >> <md:GivenName>Other Guy</md:GivenName> >> <md:EmailAddress>[email protected]</md:EmailAddress> >> </md:ContactPerson> >> <md:ContactPerson contactType="support"> >> <md:GivenName>Another One</md:GivenName> >> <md:EmailAddress>[email protected]</md:EmailAddress> >> </md:ContactPerson> >> </md:EntityDescriptor> >> Do you have any idea of what could be the problem? >> >> Thanks >> >> -- >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] >> >> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional >> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ >> peoples whose historical relationships with the land continue to this day. >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/17393553-0c37-4fbb-b7ac-565eaf049133n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/17393553-0c37-4fbb-b7ac-565eaf049133n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGUdYrSQQ5Ofjp73ups09gJ9g7M5SeoLEY_aovWvMUbBJANkPA%40mail.gmail.com.
