[cas-user] Re: cannot redirect to g-suite with samlrequest

['Jeremiah Garmatter' via CAS Community]

Muhammad,

As far as I know, Google only supports SAML2 for SSO but you declare the 
service as a CasRegisteredService.
CAS can be operated as a SAML2 Identity Provider by using this info: 
https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html
Keep in mind that documentation is for CAS 7.2.X, not your version, so your 
mileage may very.

My Gsuite service file is very simple compared to yours:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "google.com/a/<my customer domain>",
  "name" : "GSuite",
  "id" : 1599507217,
  "description" : "Gsuite Sign On for <my customer domain>",
  "metadataLocation" : "/etc/cas/saml/metadata/gsuite.xml",
  "evaluationOrder" : 10,
  "logoutType" : "NONE"
}
That logoutType:None value is from a few versions back, It is probably 
unnecessary now...

Other than that, you'll probably want to remove the 
validUntil="2025-08-06T07:27:46Z" portion from your metadata.
I'm not sure if you left the 
"Location="https://www.google.com/a/example.com/acs""; as example.com for 
security concerns but that value must reflect your real Google login page. 
I believe Google gives you this info somewhere on the third-party SSO 
config page.

On Monday, August 4, 2025 at 10:19:06 PM UTC-4 Muhammad Ikhsan wrote:

> please help I have a problem in sso because it does not redirect the page 
> to google after logging in cas.
>
> *Cas version: 6.6.10*
>
> *url not redirect:*
>
> https://example.com/cas/login?SAMLRequest=XXXXXXXXXXX&RelayState=https://accounts.google.com/CheckCookie?continue%3Dhttps://mail.google.com/mail/%26service%3Dmail%26checkedDomains%3Dyoutube%26checkConnection%3Dyoutube:153%26pstMsg%3D1%26osid%3D1%26flowName%3DGlifWebSignIn%26ltmpl%3Ddefault%26ifkv%3DAdBytiPbW68qdO8IkGQ2DGT2cLedFmYOCEhplUtBIgxp8uUOmKXqcR-mNxyeC2acB02MtICIjtbhiw
>
> *metadata sp:*
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>                      validUntil="2025-08-06T07:27:46Z"
>                      cacheDuration="PT604800S"
>                      entityID="google.com/a/example.com">
>     <md:SPSSODescriptor AuthnRequestsSigned="true" 
> WantAssertionsSigned="true" 
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>         
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>         <md:AssertionConsumerService 
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>                                      Location="
> https://www.google.com/a/example.com/acs";
>                                      index="1" />
>     </md:SPSSODescriptor>
> </md:EntityDescriptor>
>
> *services*:
> {
>     "@class": "org.apereo.cas.services.CasRegisteredService",
>     "serviceId": "https://www.google.com/a/example.com/acs";,
>     "name": "gapps",
>     "id": 1680247200,
>     "evaluationOrder": 10,
>     "metadataLocation": "C:/etc/cas/saml/metadatasp.xml",
>     "usernameAttributeProvider": {
>         "@class": 
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>         "usernameAttribute": "email"
>     },
>     "accessStrategy": {
>         "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>         "enabled": true,
>         "ssoEnabled": true
>     },
>     "delegatedAuthenticationPolicy": {
>         "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
>         "allowedProviders": ["java.util.ArrayList", ["Google"]],
>         "exclusive": true
>     },
>     "serviceTicketExpirationPolicy": {
>       "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy",
>       "numberOfUses": 1,
>       "timeToLive": "10"
>     },
>     "attributeReleasePolicy" : {
>       "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
>       "authorizedToReleaseProxyGrantingTicket" : true
>     },
>     "proxyPolicy" : {
>       "@class" : 
> "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
>       "pattern": ".+"
>     },
>     "publicKey" : {
>       "@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
>       "location" : "file:/etc/cas/keys/public2025.key",
>       "algorithm": "RSA"
>     },
>     "properties" : {
>       "@class" : "java.util.HashMap",
>       "skipRequiredServiceCheck" : {
>         "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>         "values" : [ "java.util.HashSet", [ "true" ] ]
>       }
>     }
> }

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/573ba260-fd87-4b23-a2e2-8b72227f789dn%40apereo.org.