Hi, sorry for the lateness, I was experimenting with the setup:
I have a service defined in "service.json" it has ID 1751, and serviceId is
the entityId for SAML.
The service has the following definition:
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"id": 1751,
"evaluationOrder": 1751,
"serviceId": "SERVER/saml/liferay",
"name": "pruebaSAML",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider": {
"@class":
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider"
,
"usernameAttribute": "mail",
"canonicalizationMode": "LOWER"
},
"metadataLocation": "file:///etc/cas/saml/sp-pruebaSAML-metadata.xml",
"metadataSignatureLocation":
"file:///etc/cas/saml/pruebaSAML-1751/idp-signing.crt"
}
The file sp-pruebaSAML-metadata.xml contains the certificate created at
Liferay. Also that certificate is stored in the file specified at the
metadataSignatureLocation property of the service.
I have the metadata in the dir "/etc/cas/saml/service-1751". That metadata
was constructed from the URL "casServer/idp/metadata" changing the
following:
- entityID (I changed it for the one defined in the service.json file)
- X509Certificate (using one created outside of CAS)
>From what I read in your post
"You point cas config at the certificates that you (or cas) created"
Surely this point is missing or misconfigured. How can I ensure that cas is
pointing to the certificates I created, and put into the idp-metadata
stored in the dir "/etc/cas/saml/service-1751" ?
Thanks in advance.
On Monday, October 7, 2024 at 12:43:28 PM UTC-6 Ray Bon wrote:
> Juan,
>
> Can you clarify your description of the certificates and metadata?
>
> Liferay will create SP metadata with encryption certificate (and maybe
> signing too); you will create IdP metadata (cas will do this if it does not
> exist) with signing and encryption certificates. You point cas config at
> the certificates that you (or cas) created. Liferay SP certificates should
> be different from your IdP certificates.
>
> Ray
>
> On Sun, 2024-10-06 at 14:53 -0700, Juan Fernando Rivera wrote:
>
> You don't often get email from eljua...@gmail.com. Learn why this is
> important <https://aka.ms/LearnAboutSenderIdentification>
>
> Hi, I'm following the guidelines of configuring a SAML service in CAS, but
> I'm having trouble connecting to Liferay portal.
>
> In Liferay were created the certificates and imported in the idp-metadata
> file which was sent back to Liferay and imported. Everything runs fine, BUT
> after entering the credentials in CAS, this error (or similar) appears in
> Liferay logs:
>
> 2024-10-04 21:51:11.830 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:65]
>
> Validating signature with signature algorithm URI:
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> 2024-10-04 21:51:11.830 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:66]
>
> Validation credential key algorithm 'RSA', key instance class
> 'sun.security.rsa.RSAPublicKeyImpl'
> 2024-10-04 21:51:11.831 WARN
> [http-nio-0.0.0.0-9444-exec-4][XMLSignature:891] Signature verification
> failed.
> 2024-10-04 21:51:11.831 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:78]
>
> Signature cryptographic validation not successful
> 2024-10-04 21:51:11.831 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][BaseSignatureTrustEngine:244] Signature
> validation using candidate validation credential failed
> org.opensaml.xmlsec.signature.support.SignatureException: Signature
> cryptographic validation not successful
> .....
> 2024-10-04 21:51:11.832 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ExplicitKeySignatureTrustEngine:124] Failed
> to verify signature using either KeyInfo-derived or directly trusted
> credentials
> 2024-10-04 21:51:11.833 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][SAMLProtocolMessageXMLSignatureSecurityHandler:142]
>
> Message Handler: Validation of protocol message signature failed for
> context issuer 'ENTITY_ID', message type:
> {urn:oasis:names:tc:SAML:2.0:protocol}Response
> 2024-10-04 21:51:11.833 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][WebSsoProfileImpl:210] Validation of
> protocol message signature failed
> .....
>
> According to the Liferay admin, the main issue may come from CAS, because
> is not using the right key to generate the values in the SAML Response.
> Other reason may be encryption or signature.
> I have tried both encryption and signature options in service.json file,
> but no avail, the errors are th same.
> How can I verify this suspicions of Liferay admin? how can I force CAS to
> use a certain private key to generate the data in SAML response?
>
> Thanks in advance.
>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c00bc04-fe53-43ff-bca1-71a1d97d2b2an%40apereo.org.
