Juan, Cas will create IdP metadata and certificates if they do not exist (save them for future deploys). For your dev setup, you will have to add them to the directory before cas starts; either COPY into your container image or mount the volume when the container starts. If you use a traditional deployment (jenkins etc) let the tool install them.
Ray On Wed, 2024-10-09 at 17:53 -0700, Juan Fernando Rivera wrote: You don't often get email from eljuanfe...@gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi, reading your post I think the problem is that the files in "/etc/cas/saml" (idp-encryption.*, idp-signing.*) are created every time CAS is restarted. I know that in a production environment this won't be an issue, but right now it is. Is there a way to prevent these files to recreating everytime my CAS container is restarted? Thanks in advance. On Monday, October 7, 2024 at 12:43:28 PM UTC-6 Ray Bon wrote: Juan, Can you clarify your description of the certificates and metadata? Liferay will create SP metadata with encryption certificate (and maybe signing too); you will create IdP metadata (cas will do this if it does not exist) with signing and encryption certificates. You point cas config at the certificates that you (or cas) created. Liferay SP certificates should be different from your IdP certificates. Ray On Sun, 2024-10-06 at 14:53 -0700, Juan Fernando Rivera wrote: You don't often get email from eljua...@gmail.com.Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi, I'm following the guidelines of configuring a SAML service in CAS, but I'm having trouble connecting to Liferay portal. In Liferay were created the certificates and imported in the idp-metadata file which was sent back to Liferay and imported. Everything runs fine, BUT after entering the credentials in CAS, this error (or similar) appears in Liferay logs: 2024-10-04 21:51:11.830 DEBUG [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:65] Validating signature with signature algorithm URI:http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 2024-10-04 21:51:11.830 DEBUG [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:66] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' 2024-10-04 21:51:11.831 WARN [http-nio-0.0.0.0-9444-exec-4][XMLSignature:891] Signature verification failed. 2024-10-04 21:51:11.831 DEBUG [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:78] Signature cryptographic validation not successful 2024-10-04 21:51:11.831 DEBUG [http-nio-0.0.0.0-9444-exec-4][BaseSignatureTrustEngine:244] Signature validation using candidate validation credential failed org.opensaml.xmlsec.signature.support.SignatureException: Signature cryptographic validation not successful ..... 2024-10-04 21:51:11.832 DEBUG [http-nio-0.0.0.0-9444-exec-4][ExplicitKeySignatureTrustEngine:124] Failed to verify signature using either KeyInfo-derived or directly trusted credentials 2024-10-04 21:51:11.833 DEBUG [http-nio-0.0.0.0-9444-exec-4][SAMLProtocolMessageXMLSignatureSecurityHandler:142] Message Handler: Validation of protocol message signature failed for context issuer 'ENTITY_ID', message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response 2024-10-04 21:51:11.833 DEBUG [http-nio-0.0.0.0-9444-exec-4][WebSsoProfileImpl:210] Validation of protocol message signature failed ..... According to the Liferay admin, the main issue may come from CAS, because is not using the right key to generate the values in the SAML Response. Other reason may be encryption or signature. I have tried both encryption and signature options in service.json file, but no avail, the errors are th same. How can I verify this suspicions of Liferay admin? how can I force CAS to use a certain private key to generate the data in SAML response? Thanks in advance. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e20d1542da170f67bf2ff7fd5d3c90e3a4d76c2a.camel%40uvic.ca.
