Re: [cas-user] Delegated Authentication SAML2 : Single EntityID

Thu, 11 Jul 2024 01:06:33 -0700 

Hello,
I am pretty sure the one entityid for all the IdP references will not work. I did a bit of experimenting on 6.5.x and it works like this: 

1) user selects a delegated IdP from the menu

2) cas/pac4j/? looks up the entityid that is associated with it in the 
properties
3) opensaml library goes through its metadata cache and selects metadata 
document where there is the same entityid as in step 2.
4) this way, the correct IdP metadata has been found and the 
authentication process follows what is written in them

5) ... saml2 auth process ... etc.

So no wonder only the first one works.

Cheers,
Fiisch

On 11. 07. 24 0:30, Ray Bon wrote:

wouldsmina,


Are you getting a menu of IdPs to select from, or does cas always 
default to cas.authn.pac4j.saml[0]
At the bottom of the cas doc page are a set of tabs 'MENU', 'DYMANIC', 
'CUSTOM'. Dynamic has example JSON. If you want a menu, you could try 
creating a list of IdP entityId's in a JSON file. (We are only 
beginning with using cas for SAML, so I am doing a bit of guessing.)


RequestInitiator is optional, you can remove it from metadata.
SP do not usually need the signing cert.

Ray
------------------------------------------------------------------------

*From:* cas-user@apereo.org <cas-user@apereo.org> on behalf of 
wouldsmina <wouldsm...@gmail.com>

*Sent:* 10 July 2024 12:58
*To:* cas-user@apereo.org <cas-user@apereo.org>

*Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single 
EntityID


        

You don't often get email from wouldsm...@gmail.com. Learn why this is 
important <https://aka.ms/LearnAboutSenderIdentification>

        


I've tried configuring all the IdPs with the same values (as in the 
example), but only the first one used works. In the metadata file 
generated by CAS, I find data specific to the first IdP:
<init:RequestInitiator 
Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" 
Location="https://auth.icoopeb.org/cas/login?client_name=*lmu*"/>



CAS also generates the saml-signing-cert-*lmu*.crt 
saml-signing-cert-*lmu*.key files, but I don't think that's a problem.



Thanks for the link, I had seen this documentation, but I don't 
understand what the json file of 
cas.authn.pac4j.core.discovery-selection.json.location should contain. 
Is there any documentation or an example ?


Wouldsmina.


Le mer. 10 juil. 2024 à 21:06, Ray Bon <r...@uvic.ca> a écrit :

    Yes.
    There is a section on IdP selection,
    
https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-DiscoverySelection.html


    Ray
    ------------------------------------------------------------------------
    *From:* cas-user@apereo.org <cas-user@apereo.org> on behalf of
    wouldsmina <wouldsm...@gmail.com>
    *Sent:* 10 July 2024 03:16
    *To:* cas-user@apereo.org <cas-user@apereo.org>
    *Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single
    EntityID

        
    You don't often get email from wouldsm...@gmail.com. Learn why
    this is important <https://aka.ms/LearnAboutSenderIdentification>
        

    Hello Ray,
    Thanks for your reply.
    Here is an example of what I did:

    cas.authn.pac4j.saml[6].keystore-password=password1
    cas.authn.pac4j.saml[6].private-key-password=password2
    
cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/ufra
    
cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-ufra.xml
    cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-ufra.jks
    
cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth
    
cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[6].client-name=idpufra
    cas.authn.pac4j.saml[6].display-name=UFRA
    cas.authn.pac4j.saml[6].logout-request-binding=

    cas.authn.pac4j.saml[7].keystore-password=password3
    cas.authn.pac4j.saml[7].private-key-password=password4
    
cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uce
    
cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-uce.xml
    cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-uce.jks
    
cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php
    
cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[7].client-name=idpuce
    cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador
    cas.authn.pac4j.saml[7].logout-request-binding=

    cas.authn.pac4j.saml[8].keystore-password=password5
    cas.authn.pac4j.saml[8].private-key-password=password6
    
cas.authn.pac4j.saml[8].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uniandes
    
cas.authn.pac4j.saml[8].service-provider-metadata-path=/etc/cas/config/sp-metadata-uniandes.xml
    
cas.authn.pac4j.saml[8].keystore-path=/etc/cas/config/samlKeystore-uniandes.jks
    
cas.authn.pac4j.saml[8].identity-provider-metadata-path=https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php
    
cas.authn.pac4j.saml[8].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[8].client-name=idpuniandes
    cas.authn.pac4j.saml[8].display-name=UNIANDES
    cas.authn.pac4j.saml[8].logout-request-binding=

    If I understand what you're proposing, I have to do this:

    cas.authn.pac4j.saml[6].keystore-password=password1
    cas.authn.pac4j.saml[6].private-key-password=password2
    
cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all
    
cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml
    cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-all.jks
    
cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth
    
cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[6].client-name=idpufra
    cas.authn.pac4j.saml[6].display-name=UFRA
    cas.authn.pac4j.saml[6].logout-request-binding=

    cas.authn.pac4j.saml[7].keystore-password=password1
    cas.authn.pac4j.saml[7].private-key-password=password2
    
cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all
    
cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml
    cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-all.jks
    
cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php
    
cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[7].client-name=idpuce
    cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador
    cas.authn.pac4j.saml[7].logout-request-binding=

    Best regards

    Le mer. 10 juil. 2024 à 00:37, Ray Bon <r...@uvic.ca> a écrit :

        Wouldsmina,

        Once your SP metadata is in the specified location, cas will
        not recreate it.
        Are you using a different entityId or key for each IdP? That
        is not necessary.

        Ray
        ------------------------------------------------------------------------
        *From:* cas-user@apereo.org <cas-user@apereo.org> on behalf of
        wouldsmina <wouldsm...@gmail.com>
        *Sent:* 09 July 2024 02:03
        *To:* CAS Community <cas-user@apereo.org>
        *Subject:* [cas-user] Delegated Authentication SAML2 : Single
        EntityID

                
        You don't often get email from wouldsm...@gmail.com. Learn why
        this is important <https://aka.ms/LearnAboutSenderIdentification>
                

        Hello,
        I want to use identity delegation to allow other IdPs to
        authenticate a number of my services. I was inspired by this
        documentation:
        https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/.
        But I notice that for each declared IdP, CAS produces
        different EntityId and metadatas.

        The IdPs concerned are part of the EduGain identity federation
        and I'd like to declare a single SP (for simplicity and to
        comply with the charter). Do you know if it's possible to
        configure CAS to create a single EntityId for all declared IdPs?

        Best regards,
        Wouldsmina

        -- 
        - Website: https://apereo.github.io/cas

        - Gitter Chatroom: https://gitter.im/apereo/cas
        - List Guidelines: https://goo.gl/1VRrw7
        - Contributions: https://goo.gl/mh7qDG
        ---
        You received this message because you are subscribed to the
        Google Groups "CAS Community" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to cas-user+unsubscr...@apereo.org.
        To view this discussion on the web visit
        
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com
        
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

        -- 
        - Website: https://apereo.github.io/cas

        - Gitter Chatroom: https://gitter.im/apereo/cas
        - List Guidelines: https://goo.gl/1VRrw7
        - Contributions: https://goo.gl/mh7qDG
        ---
        You received this message because you are subscribed to the
        Google Groups "CAS Community" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to cas-user+unsubscr...@apereo.org.
        To view this discussion on the web visit
        
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM
        
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.


    -- 
    - Website: https://apereo.github.io/cas

    - Gitter Chatroom: https://gitter.im/apereo/cas
    - List Guidelines: https://goo.gl/1VRrw7
    - Contributions: https://goo.gl/mh7qDG
    ---
    You received this message because you are subscribed to the Google
    Groups "CAS Community" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to cas-user+unsubscr...@apereo.org.
    To view this discussion on the web visit
    
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com
    
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

    -- 
    - Website: https://apereo.github.io/cas

    - Gitter Chatroom: https://gitter.im/apereo/cas
    - List Guidelines: https://goo.gl/1VRrw7
    - Contributions: https://goo.gl/mh7qDG
    ---
    You received this message because you are subscribed to the Google
    Groups "CAS Community" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to cas-user+unsubscr...@apereo.org.
    To view this discussion on the web visit
    
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM
    
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/55a23229-2e59-432a-bc17-1f44db253ecc%40gmail.com.

























					Reply via email to