This might be a long shot but have you tried to URL encode the entity ID if that's what you are putting in the serviceID? For example: https%3A%2F% 2Fconncoll.reclaimhosting.com. We are not yet using CAS for SAML2 so just a guess as I know the MDQ endpoint needs it that way.
On Mon, Oct 28, 2024 at 8:23 PM Papa Amadou Baba NDIAYE < papaamadoubaba.ndi...@unchk.edu.sn> wrote: > Hello Andrew > I have the same issue EntityRoleCriterion i'm using miniorange SAML SSO > for Moodle > > Le mardi 7 mai 2024 à 22:53:14 UTC, Andrew Tillinghast a écrit : > >> Tried the suggested change, now the error is: >> >> *ERROR >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] >> - <Unable to locate a valid SAML metadata resolver for >> https://mdq.incommon.org/entities/{0} >> <https://mdq.incommon.org/entities/%7B0%7D> to locate [EntityIdCriterion >> [id=https://conncoll.reclaimhosting.com >> <https://conncoll.reclaimhosting.com>]* >> >> But the upside it fails faster. >> >> On Fri, Feb 23, 2024 at 4:03 PM atilling <atil...@conncoll.edu> wrote: >> >>> This is an attempt to use "serviceId": ".+" as per the blog post. >>> because it needs to be able to match any service it would need to load the >>> whole metadata I would think. I can try to add the {0} but I was going off >>> the example in https://fawnoos.com/2019/01/18/cas61-saml2-idp-incommon/ >>> On Friday, February 23, 2024 at 11:22:42 AM UTC-5 David Gelhar wrote: >>> >>>> Rather than fetching the entire (huge) InCommon metadata aggregate for >>>> each service, it might work better to use the metadata query >>>> <https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-MDQ.html> >>>> capability >>>> in your service definitions to do a dynamic query for just the specific >>>> service. >>>> >>>> For incommon, you would put this in your service definition: >>>> >>>> "metadataLocation" : "https://mdq.incommon.org/entities/{0}";, >>>> >>>> >>>> >>>> On Monday, February 19, 2024 at 11:34:11 AM UTC-5 atilling wrote: >>>> >>>>> Clarification attempting to follow >>>>> https://fawnoos.com/2019/01/18/cas61-saml2-idp-incommon/+ >>>>> >>>>> Now have 3 SPs working using the incommon metadata all with the same >>>>> metadataLocation, those 3 are working fine (Equivalent to the Almond and >>>>> Coco in the example) but when attempting to add the "All Others" section >>>>> getting an error that the metadata can't be parsed. Is there an issue with >>>>> memory or something similar? >>>>> On Friday, February 2, 2024 at 1:42:16 PM UTC-5 atilling wrote: >>>>> >>>>>> Trying to add a service provider from incommon, have one service >>>>>> provider working getting an error when trying to access a second one: >>>>>> >>>>>> 2024-02-02 11:49:20,456 INFO >>>>>> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.UrlResourceMetadataResolver] >>>>>> - <Metadata file designated for service [PeopleAdmin] already exists at >>>>>> path >>>>>> [/etc/cas/saml/idp/metadata-backups/382b60a9f8c9677793e7711043ee8d9805fe2572.xml].> >>>>>> >>>>>> 2024-02-02 11:49:23,410 INFO >>>>>> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] >>>>>> - <Metadata signature location is undefined for [ >>>>>> https://md.incommon.org/InCommon/InCommon-metadata.xml]; metadata >>>>>> signature validation will not be invoked> >>>>>> >>>>>> 2024-02-02 11:49:42,961 INFO >>>>>> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] >>>>>> - <Initialized metadata resolver from [ >>>>>> https://md.incommon.org/InCommon/InCommon-metadata.xml]> >>>>>> >>>>>> 2024-02-02 11:49:43,080 WARN >>>>>> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >>>>>> - <SAML metadata resolver >>>>>> [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] obtained >>>>>> from the cache is unable to produce/resolve valid metadata from [ >>>>>> https://md.incommon.org/InCommon/InCommon-metadata.xml]. Metadata >>>>>> resolver cache entry with key >>>>>> [ec3dbe763cb47bb5fb789f5daa2842e8fb8c7a8d76ae088017c5c20b2cdfe23d0406b562f2b6af931fbe2e4dce97fd1f7e2edf784be65dcc4c652eab1b37d147] >>>>>> has been invalidated. Retry attempt: [2]> >>>>>> >>>>>> *2024-02-02 11:49:43,080 ERROR >>>>>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] >>>>>> - <Unable to locate a valid SAML metadata resolver for >>>>>> https://md.incommon.org/InCommon/InCommon-metadata.xml >>>>>> <https://md.incommon.org/InCommon/InCommon-metadata.xml> to locate >>>>>> [EntityRoleCriterion >>>>>> [role={urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor], >>>>>> EntityIdCriterion [id=https://pa4078.peopleadmin.com/shibboleth >>>>>> <https://pa4078.peopleadmin.com/shibboleth>]]* >>>>>> >>>>>> * >>>>>> SamlRegisteredServiceDefaultCachingMetadataResolver.java:lambda$resolve$1:94* >>>>>> >>>>>> * RetryTemplate.java:doExecute:329* >>>>>> >>>>>> * RetryTemplate.java:execute:209* >>>>>> >>>>>> *>* >>>>>> >>>>>> 2024-02-02 11:49:43,080 WARN >>>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >>>>>> - <No metadata could be found for [ >>>>>> https://pa4078.peopleadmin.com/shibboleth]> >>>>>> >>>>>> 2024-02-02 11:49:43,080 WARN >>>>>> [org.apereo.cas.util.function.FunctionUtils] - <Cannot find metadata >>>>>> linked >>>>>> to https://pa4078.peopleadmin.com/shibboleth >>>>>> >>>>>> >>>>>> AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:493 >>>>>> >>>>>> >>>>>> AbstractSamlIdPProfileHandlerController.java:initiateAuthenticationRequest:311 >>>>>> >>>>>> >>>>>> AbstractSamlIdPProfileHandlerController.java:lambda$handleSsoPostProfileRequest$4:648 >>>>>> >>>>>> > >>>>>> >>>>>> *2024-02-02 11:49:43,081 ERROR [org.apereo.cas.web.support.WebUtils] >>>>>> - <Cannot find metadata linked to >>>>>> https://pa4078.peopleadmin.com/shibboleth >>>>>> <https://pa4078.peopleadmin.com/shibboleth>* >>>>>> >>>>>> * >>>>>> AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:493* >>>>>> >>>>>> * >>>>>> AbstractSamlIdPProfileHandlerController.java:initiateAuthenticationRequest:311* >>>>>> >>>>>> * >>>>>> AbstractSamlIdPProfileHandlerController.java:lambda$handleSsoPostProfileRequest$4:648* >>>>>> >>>>>> *>* >>>>>> >>>>>> >>>>>> Also have the entry in cas.properties for: >>>>>> >>>>>> cas.saml-sp.in-common.metadata= >>>>>> https://md.incommon.org/InCommon/InCommon-metadata.xml >>>>>> >>>>>> service json looks like this >>>>>> >>>>>> { >>>>>> @class: org.apereo.cas.support.saml.services.SamlRegisteredService >>>>>> serviceId: https://pa4078.peopleadmin.com/shibboleth >>>>>> name: PeopleAdmin >>>>>> id: 1706734145472 >>>>>> description: InCommon SAML SP Integration for PeopleAdmin >>>>>> evaluationOrder: 2147483642 <(214)%20748-3642> >>>>>> usernameAttributeProvider: >>>>>> { >>>>>> @class: >>>>>> org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider >>>>>> usernameAttribute: eduPersonPrincipalName >>>>>> } >>>>>> attributeReleasePolicy: >>>>>> { >>>>>> @class: org.apereo.cas.services.ChainingAttributeReleasePolicy >>>>>> policies: >>>>>> [ >>>>>> java.util.ArrayList >>>>>> [ >>>>>> { >>>>>> @class: >>>>>> org.apereo.cas.services.ReturnMappedAttributeReleasePolicy >>>>>> allowedAttributes: >>>>>> { >>>>>> @class: java.util.TreeMap >>>>>> displayName: >>>>>> [ >>>>>> java.util.ArrayList >>>>>> [ >>>>>> urn:oid:2.16.840.1.113730.3.1.241 >>>>>> ] >>>>>> ] >>>>>> eduPersonPrimaryAffiliation: >>>>>> [ >>>>>> java.util.ArrayList >>>>>> [ >>>>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.5 >>>>>> ] >>>>>> ] >>>>>> eduPersonPrincipalName: >>>>>> [ >>>>>> java.util.ArrayList >>>>>> [ >>>>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.6 >>>>>> emailaddress >>>>>> ] >>>>>> ] >>>>>> givenName: >>>>>> [ >>>>>> java.util.ArrayList >>>>>> [ >>>>>> givenname >>>>>> ] >>>>>> ] >>>>>> sn: >>>>>> [ >>>>>> java.util.ArrayList >>>>>> [ >>>>>> surname >>>>>> ] >>>>>> ] >>>>>> } >>>>>> } >>>>>> ] >>>>>> ] >>>>>> mergingPolicy: REPLACE >>>>>> principalAttributesRepository: >>>>>> { >>>>>> @class: >>>>>> org.apereo.cas.authentication.principal.ChainingPrincipalAttributesRepository >>>>>> } >>>>>> consentPolicy: >>>>>> { >>>>>> @class: >>>>>> org.apereo.cas.services.consent.ChainingRegisteredServiceConsentPolicy >>>>>> } >>>>>> authorizedToReleaseAuthenticationAttributes: true >>>>>> } >>>>>> metadataLocation: >>>>>> https://md.incommon.org/InCommon/InCommon-metadata.xml >>>>>> metadataCriteriaDirection: INCLUDE >>>>>> metadataCriteriaPattern: https://authproxy.conity.com/saml2 >>>>>> signingCredentialType: BASIC >>>>>> } >>>>>> >>>>>> >>>>>> cas.saml-sp.in-common.metadata= >>>>>> >>>>> >> >> -- >> >> Andrew Tillinghast >> Sr. Tech Lead Identity and Access Management >> atil...@conncoll.edu >> 270 Mohegan Avenue >> New London, CT 06320-4196 >> Ph:860 439-5265 Fax: 860 439-2871 >> P >> *Think before you print*CONFIDENTIALITY: This email (including any >> attachments) may contain confidential, proprietary and privileged >> information, and unauthorized disclosure or use is prohibited. If you >> received this email in error, please notify the sender and delete this >> email from your system. >> >> -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c84d0e50-ec83-4cb7-8c3e-d5b36230a4e0n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c84d0e50-ec83-4cb7-8c3e-d5b36230a4e0n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- Jonathon Taylor (he/him) Information Security Office jonath...@berkeley.edu -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo8nT6eTuC5b2WVgWv2fqeFbC9k%2BDkN-J9XU_qJ7v5PDeg%40mail.gmail.com.
