I tried various modifications, but all ended in failure. You're right Fiisch, it only seems to work with independently declared identity providers.
Thank you for your help. I will try to find another solution to my problem. Le jeu. 11 juil. 2024 à 10:06, Petr Fišer <petr.fiser...@gmail.com> a écrit : > Hello, > I am pretty sure the one entityid for all the IdP references will not > work. I did a bit of experimenting on 6.5.x and it works like this: > > 1) user selects a delegated IdP from the menu > 2) cas/pac4j/? looks up the entityid that is associated with it in the > properties > 3) opensaml library goes through its metadata cache and selects metadata > document where there is the same entityid as in step 2. > 4) this way, the correct IdP metadata has been found and the > authentication process follows what is written in them > 5) ... saml2 auth process ... etc. > > So no wonder only the first one works. > > Cheers, > Fiisch > > On 11. 07. 24 0:30, Ray Bon wrote: > > wouldsmina, > > Are you getting a menu of IdPs to select from, or does cas always default > to cas.authn.pac4j.saml[0] > At the bottom of the cas doc page are a set of tabs 'MENU', 'DYMANIC', > 'CUSTOM'. Dynamic has example JSON. If you want a menu, you could try > creating a list of IdP entityId's in a JSON file. (We are only beginning > with using cas for SAML, so I am doing a bit of guessing.) > > RequestInitiator is optional, you can remove it from metadata. > SP do not usually need the signing cert. > > Ray > ------------------------------ > *From:* cas-user@apereo.org <cas-user@apereo.org> <cas-user@apereo.org> > on behalf of wouldsmina <wouldsm...@gmail.com> <wouldsm...@gmail.com> > *Sent:* 10 July 2024 12:58 > *To:* cas-user@apereo.org <cas-user@apereo.org> <cas-user@apereo.org> > *Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single EntityID > > > You don't often get email from wouldsm...@gmail.com. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > I've tried configuring all the IdPs with the same values (as in the > example), but only the first one used works. In the metadata file generated > by CAS, I find data specific to the first IdP: > <init:RequestInitiator > Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location=" > https://auth.icoopeb.org/cas/login?client_name=*lmu*"/> > > CAS also generates the saml-signing-cert-*lmu*.crt saml-signing-cert-*lmu*.key > files, but I don't think that's a problem. > > Thanks for the link, I had seen this documentation, but I don't understand > what the json file of > cas.authn.pac4j.core.discovery-selection.json.location should contain. Is > there any documentation or an example ? > > Wouldsmina. > > > Le mer. 10 juil. 2024 à 21:06, Ray Bon <r...@uvic.ca> a écrit : > > Yes. > There is a section on IdP selection, > https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-DiscoverySelection.html > > > Ray > ------------------------------ > *From:* cas-user@apereo.org <cas-user@apereo.org> on behalf of wouldsmina > <wouldsm...@gmail.com> > *Sent:* 10 July 2024 03:16 > *To:* cas-user@apereo.org <cas-user@apereo.org> > *Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single EntityID > > > You don't often get email from wouldsm...@gmail.com. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hello Ray, > Thanks for your reply. > Here is an example of what I did: > > cas.authn.pac4j.saml[6].keystore-password=password1 > cas.authn.pac4j.saml[6].private-key-password=password2 > cas.authn.pac4j.saml[6].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/ufra > > cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-ufra.xml > cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-ufra.jks > cas.authn.pac4j.saml[6].identity-provider-metadata-path= > https://idp-cafe.ufra.edu.br/idp/shibboleth > > cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[6].client-name=idpufra > cas.authn.pac4j.saml[6].display-name=UFRA > cas.authn.pac4j.saml[6].logout-request-binding= > > cas.authn.pac4j.saml[7].keystore-password=password3 > cas.authn.pac4j.saml[7].private-key-password=password4 > cas.authn.pac4j.saml[7].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/uce > > cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-uce.xml > cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-uce.jks > cas.authn.pac4j.saml[7].identity-provider-metadata-path= > https://login.uce.cedia.edu.ec/saml2/idp/metadata.php > > cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[7].client-name=idpuce > cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador > cas.authn.pac4j.saml[7].logout-request-binding= > > cas.authn.pac4j.saml[8].keystore-password=password5 > cas.authn.pac4j.saml[8].private-key-password=password6 > cas.authn.pac4j.saml[8].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/uniandes > > cas.authn.pac4j.saml[8].service-provider-metadata-path=/etc/cas/config/sp-metadata-uniandes.xml > > cas.authn.pac4j.saml[8].keystore-path=/etc/cas/config/samlKeystore-uniandes.jks > cas.authn.pac4j.saml[8].identity-provider-metadata-path= > https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php > > cas.authn.pac4j.saml[8].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[8].client-name=idpuniandes > cas.authn.pac4j.saml[8].display-name=UNIANDES > cas.authn.pac4j.saml[8].logout-request-binding= > > If I understand what you're proposing, I have to do this: > > cas.authn.pac4j.saml[6].keystore-password=password1 > cas.authn.pac4j.saml[6].private-key-password=password2 > cas.authn.pac4j.saml[6].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/all > > cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml > cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-all.jks > cas.authn.pac4j.saml[6].identity-provider-metadata-path= > https://idp-cafe.ufra.edu.br/idp/shibboleth > > cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[6].client-name=idpufra > cas.authn.pac4j.saml[6].display-name=UFRA > cas.authn.pac4j.saml[6].logout-request-binding= > > cas.authn.pac4j.saml[7].keystore-password=password1 > cas.authn.pac4j.saml[7].private-key-password=password2 > cas.authn.pac4j.saml[7].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/all > > cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml > cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-all.jks > cas.authn.pac4j.saml[7].identity-provider-metadata-path= > https://login.uce.cedia.edu.ec/saml2/idp/metadata.php > > cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[7].client-name=idpuce > cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador > cas.authn.pac4j.saml[7].logout-request-binding= > > Best regards > > Le mer. 10 juil. 2024 à 00:37, Ray Bon <r...@uvic.ca> a écrit : > > Wouldsmina, > > Once your SP metadata is in the specified location, cas will not recreate > it. > Are you using a different entityId or key for each IdP? That is not > necessary. > > Ray > ------------------------------ > *From:* cas-user@apereo.org <cas-user@apereo.org> on behalf of wouldsmina > <wouldsm...@gmail.com> > *Sent:* 09 July 2024 02:03 > *To:* CAS Community <cas-user@apereo.org> > *Subject:* [cas-user] Delegated Authentication SAML2 : Single EntityID > > > You don't often get email from wouldsm...@gmail.com. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hello, > I want to use identity delegation to allow other IdPs to authenticate a > number of my services. I was inspired by this documentation: > https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/. But I > notice that for each declared IdP, CAS produces different EntityId and > metadatas. > > The IdPs concerned are part of the EduGain identity federation and I'd > like to declare a single SP (for simplicity and to comply with the > charter). Do you know if it's possible to configure CAS to create a single > EntityId for all declared IdPs? > > Best regards, > Wouldsmina > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/55a23229-2e59-432a-bc17-1f44db253ecc%40gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/55a23229-2e59-432a-bc17-1f44db253ecc%40gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNYyLPk-xz_UkFskphA8L4DiSHcMa7aM1D6AgtG-rw2Z3w%40mail.gmail.com.
