Please check
https://apereo.github.io/cas/7.1.x/services/SAML2-Service-Management.html
for the example.
I think you are missing `"@class" :
"org.apereo.cas.support.saml.services.SamlRegisteredService",`
On Fri, Nov 15, 2024 at 12:38 PM Neon Dazzle <chicole...@gmail.com> wrote:
> Thank you so much.
> I changed endpoint and now it's telling my application is not authorized
> to use CAS. It's weird because I can see the service entry when I go to
> this endpoint: cas/actuator/registeredService
>
> {
> "serviceId": "
> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
> "name": "JIRA",
> "id": 1726778135108,
> "description": "JIRA",
> "proxyTicketExpirationPolicy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
> },
> "serviceTicketExpirationPolicy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
> },
> "evaluationOrder": 27,
> "attributeReleasePolicy": {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "accessStrategy": {
> "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "requireAllAttributes": false
> },
> "metadataLocation": "/etc/cas/saml/jira-metadat.xml",
> "issuerEntityId": "",
> "signingCredentialType": "X509"
> },
>
> I must be still missing something.
> Le vendredi 15 novembre 2024 à 13:38:43 UTC-5, Ocean Liu a écrit :
>
>> Neon, the Destination in the SAMLRequest does not look right.
>>
>> It should be something like
>> https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check
>> your IdP metadata <SingleSignOnService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part.
>>
>> And then, you need to change the Identity provider SSO URL in your
>> atlassian admin panel.
>> https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization
>>
>>
>> [image: SCR-20241115-ikwy.png]
>>
>> If you look at the dev tool, atlassian was probably redirecting the
>> client to the CAS home page (/cas), instead of the SSO page (
>> /cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to
>> handle the parameters.
>>
>> Good luck!
>>
>> On Friday, November 15, 2024 at 8:46:18 AM UTC-8 Neon Dazzle wrote:
>>
>>>
>>> Thank you so much to both of you for your answers! It's very appreciated.
>>> I did more tests and I still can't get this to work. I get the same
>>> result: I get sent to CAS from Atlassian, I enter my credentials, and then
>>> I dont get sent back to Atlassian, I'm stuck in CAS. The message says that
>>> I see this page because CAS doesnt know my final destination.
>>> I installed samltracer as suggested to try and find my mistake but I
>>> can't see it :(.
>>>
>>> Here is my metadata file:
>>>
>>> <?xml version="1.0"?>
>>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>>> validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S" entityID="
>>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";>
>>> <md:SPSSODescriptor AuthnRequestsSigned="false"
>>> WantAssertionsSigned="false"
>>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>> <md:KeyDescriptor use="signing">
>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>>> <ds:X509Data>
>>>
>>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>>> </ds:X509Data>
>>> </ds:KeyInfo>
>>> </md:KeyDescriptor>
>>> <md:KeyDescriptor use="encryption">
>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>>> <ds:X509Data>
>>>
>>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>>> </ds:X509Data>
>>> </ds:KeyInfo>
>>> </md:KeyDescriptor>
>>>
>>> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>>> <md:AssertionConsumerService
>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
>>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc";
>>> index="1"/>
>>> </md:SPSSODescriptor>
>>> </md:EntityDescriptor>
>>>
>>>
>>> And here is the request I see using saml-tracer:
>>>
>>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>>> AssertionConsumerServiceURL="
>>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc
>>> " Destination="https://cas6dev.polymtl.ca/cas"; ID=
>>> "_c59ebaed7f8b7fbc8dd55d5b0afb84fb" IssueInstant=
>>> "2024-11-15T15:59:41.525Z" ProtocolBinding=
>>> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
>>> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc</
>>> saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
>>> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
>>> saml2p:AuthnRequest>
>>> Can you see any obvious mistake I am making?
>>>
>>> Le mardi 5 novembre 2024 à 23:38:01 UTC-5, Ray Bon a écrit :
>>>
>>>> Neon,
>>>>
>>>> The Location and Binding protocol must match what is sent in the
>>>> request.
>>>> You can use a browser plugin like samltracer to see what the
>>>> request/response looks like.
>>>> Also check cas logs.
>>>>
>>>> Ray
>>>>
>>>> On Tue, 2024-11-05 at 10:44 -0800, Neon Dazzle wrote:
>>>>
>>>> You don't often get email from chico...@gmail.com. Learn why this is
>>>> important <https://aka.ms/LearnAboutSenderIdentification>
>>>>
>>>> Thank you so much for your answer.
>>>> I created the metadata file using a web service and added:
>>>>
>>>> <md:AssertionConsumerService
>>>> index="1"
>>>>
>>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>>> Location="https://atlassian.start.com"; />
>>>>
>>>> I'm still getting no redirection and I stay on the CAS website.
>>>>
>>>> Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit :
>>>>
>>>> Neon,
>>>>
>>>> ACS is required in metadata.
>>>> You can create the metadata file if the vendor does not supply it.
>>>> There are some online services that will help.
>>>>
>>>> Ray
>>>>
>>>> On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:
>>>>
>>>> You don't often get email from chico...@gmail.com.Learn why this is
>>>> important <https://aka.ms/LearnAboutSenderIdentification>
>>>>
>>>> Hi everyone, we have CAS6 and are trying to setup SSO with our
>>>> Atlassian org on the cloud. It seems like we almost have it, we get
>>>> redirected to CAS and the login works, but we can't get redirected to
>>>> Atlassian after, we are stuck in CAS.
>>>> It seems like there is not json parameters for redirection so I'm
>>>> wondering where we should put the ACS adresse given by Atlassian.
>>>> All our other services connected with CAS provide metadata files so
>>>> it's easy, but Atlassian doesnt provide that.
>>>> Has anyone been able to setup SSO with Atlassian Cloud?
>>>>
>>>>
>>>>
--
Ocean Liu | Enterprise Web Developer | Whitman College
WCTS Building 105F - 509.527.4973
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJwP14YSV-EBDAdLc4rLsJeZwNWyMTNVqPyrqBGEmFw262kbqw%40mail.gmail.com.
