Michal, Wouldsmina, I see there are differences in the docs between 6.6 and 7.0.
In docs I see this: Note that you can use more than one external identity provider with CAS, where each integration may be done with a different set of metadata and keys for CAS acting as the service provider This is an odd statement given the whole point of federation. It may be so because a cas client [application] can only connect to one cas authn server. See this for an explanation of how cas handles different protocols and delegation https://fawnoos.com/2018/02/26/cas-delegation-protocols/ This page https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-SAML-Discovery.html has a link to the shibboleth embedded discovery service https://shibboleth.atlassian.net/wiki/spaces/EDS10/overview which may be different than what is provided through geant. I think discovery service is the best option. It allows for a possibly external list of IdPs, but not limited to the target service nor a 1 to 1 dependence on cas metadata(s). Ray ________________________________ From: cas-user@apereo.org <cas-user@apereo.org> on behalf of wouldsmina <wouldsm...@gmail.com> Sent: 12 July 2024 03:42 To: cas-user@apereo.org <cas-user@apereo.org> Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID Ray, Yes, that's what I was going to do, but as CAS generates one SP per IdP to be authorised, I would need one SP per IdP in eduGain, which is contrary to the charter and not very useful. I'm going to try and see if the institutions concerned (there are 8) can modify their IdPs to authorise my CAS, but I'm afraid they don't have the necessary control and/or skills. Colleagues have advised me to try KeyCloak, but I'm the one who doesn't have the necessary skills yet. Best regards, Wouldsmina Le jeu. 11 juil. 2024 à 19:54, Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>> a écrit : wouldsmina, Your cas SP must be known to any IdP you want to authenticate with. If your cas SP metadata is in eduGAIN, that would be enough; otherwise you will have to send it to each IdP you want to interact with, which is much more work. Ray ________________________________ From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> on behalf of wouldsmina <wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>> Sent: 11 July 2024 00:43 To: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID You don't often get email from wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello Ray, I get a menu with all the IdPs, I can authenticate on the IdPs, the SAML response returns to the CAS server, but it returns an error if it's not a response from the first IdP. Here is the authentication page: https://auth.icoopeb.org/cas/login (for the moment, this CAS is not declared on other IdPs apart from the first). I'm going to continue testing, and if I find the right configuration, I'll put it here for information. Thanks for your advice. Wouldsmina. Le jeu. 11 juil. 2024 à 05:37, Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>> a écrit : wouldsmina, Are you getting a menu of IdPs to select from, or does cas always default to cas.authn.pac4j.saml[0] At the bottom of the cas doc page are a set of tabs 'MENU', 'DYMANIC', 'CUSTOM'. Dynamic has example JSON. If you want a menu, you could try creating a list of IdP entityId's in a JSON file. (We are only beginning with using cas for SAML, so I am doing a bit of guessing.) RequestInitiator is optional, you can remove it from metadata. SP do not usually need the signing cert. Ray ________________________________ From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> on behalf of wouldsmina <wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>> Sent: 10 July 2024 12:58 To: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID You don't often get email from wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> I've tried configuring all the IdPs with the same values (as in the example), but only the first one used works. In the metadata file generated by CAS, I find data specific to the first IdP: <init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://auth.icoopeb.org/cas/login?client_name=lmu"/> CAS also generates the saml-signing-cert-lmu.crt saml-signing-cert-lmu.key files, but I don't think that's a problem. Thanks for the link, I had seen this documentation, but I don't understand what the json file of cas.authn.pac4j.core.discovery-selection.json.location should contain. Is there any documentation or an example ? Wouldsmina. Le mer. 10 juil. 2024 à 21:06, Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>> a écrit : Yes. There is a section on IdP selection, https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-DiscoverySelection.html Ray ________________________________ From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> on behalf of wouldsmina <wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>> Sent: 10 July 2024 03:16 To: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID You don't often get email from wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello Ray, Thanks for your reply. Here is an example of what I did: cas.authn.pac4j.saml[6].keystore-password=password1 cas.authn.pac4j.saml[6].private-key-password=password2 cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/ufra cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-ufra.xml cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-ufra.jks cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[6].client-name=idpufra cas.authn.pac4j.saml[6].display-name=UFRA cas.authn.pac4j.saml[6].logout-request-binding= cas.authn.pac4j.saml[7].keystore-password=password3 cas.authn.pac4j.saml[7].private-key-password=password4 cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uce cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-uce.xml cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-uce.jks cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[7].client-name=idpuce cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador cas.authn.pac4j.saml[7].logout-request-binding= cas.authn.pac4j.saml[8].keystore-password=password5 cas.authn.pac4j.saml[8].private-key-password=password6 cas.authn.pac4j.saml[8].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uniandes cas.authn.pac4j.saml[8].service-provider-metadata-path=/etc/cas/config/sp-metadata-uniandes.xml cas.authn.pac4j.saml[8].keystore-path=/etc/cas/config/samlKeystore-uniandes.jks cas.authn.pac4j.saml[8].identity-provider-metadata-path=https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php cas.authn.pac4j.saml[8].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[8].client-name=idpuniandes cas.authn.pac4j.saml[8].display-name=UNIANDES cas.authn.pac4j.saml[8].logout-request-binding= If I understand what you're proposing, I have to do this: cas.authn.pac4j.saml[6].keystore-password=password1 cas.authn.pac4j.saml[6].private-key-password=password2 cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-all.jks cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[6].client-name=idpufra cas.authn.pac4j.saml[6].display-name=UFRA cas.authn.pac4j.saml[6].logout-request-binding= cas.authn.pac4j.saml[7].keystore-password=password1 cas.authn.pac4j.saml[7].private-key-password=password2 cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-all.jks cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[7].client-name=idpuce cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador cas.authn.pac4j.saml[7].logout-request-binding= Best regards Le mer. 10 juil. 2024 à 00:37, Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>> a écrit : Wouldsmina, Once your SP metadata is in the specified location, cas will not recreate it. Are you using a different entityId or key for each IdP? That is not necessary. Ray ________________________________ From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> on behalf of wouldsmina <wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>> Sent: 09 July 2024 02:03 To: CAS Community <cas-user@apereo.org<mailto:cas-user@apereo.org>> Subject: [cas-user] Delegated Authentication SAML2 : Single EntityID You don't often get email from wouldsm...@gmail.com<mailto:wouldsm...@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello, I want to use identity delegation to allow other IdPs to authenticate a number of my services. I was inspired by this documentation: https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/. But I notice that for each declared IdP, CAS produces different EntityId and metadatas. The IdPs concerned are part of the EduGain identity federation and I'd like to declare a single SP (for simplicity and to comply with the charter). Do you know if it's possible to configure CAS to create a single EntityId for all declared IdPs? Best regards, Wouldsmina -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNY0w2T%3DXubVQj-iNLa4Fyyo%3DuWVZ10BrJX%3Db8-h02EGyQ%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNY0w2T%3DXubVQj-iNLa4Fyyo%3DuWVZ10BrJX%3Db8-h02EGyQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D9FE108B82D5C07F54DFCEA52%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D9FE108B82D5C07F54DFCEA52%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZthnaVU4m2RYcvixfiaYb-%2BhpCzg%2Bb%2BMqQ-qUCfjAVQw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZthnaVU4m2RYcvixfiaYb-%2BhpCzg%2Bb%2BMqQ-qUCfjAVQw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB994650FA85358D42E1E0107FCEA62%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM.
