We planned to change our E-mail service provider to Gmail, however for some reason this had to abort. Before the plan aborts, I somehow managed to make Google to work with our SSO that is built on Apereo CAS. Here I post some useful information to help anyone who could run into same situation.
When I was working on this, an article provided me very much help: CAS configuration for G Suite , as well as some offical documents listed below:
- https://groups.google.com/a/apereo.org/g/cas-user/c/hXmHhSid1RM/m/bR2Q8NMmAAAJ?utm_medium=email&utm_source=footer
- https://apereo.github.io/cas/5.3.x/installation/Configuring-SAML2-Authentication.html
- https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#saml-idp)
But after reading those texts, I did not find out where to place my certificate and revalent private key, so I digged into the source code repository and found the way. If you look at the source code , you will find out it act like this:
- check if metadata.xml exists, if not generate one ( and public/private keys etc. )
- before generating cert and key files (for both signing and encryption), check if there is any existing file, force delete if found ( check code)
If you do not have metadata and certificate/key files, the most easy way to get one is to build a testing server to let it generates those files for you.
If you already have those files, just place it in /etc/cas/, or under the directory you specified by setting cas.authn.samlIdp.metadata.location in cas.properties.