CAS 7.2 OIDC with webflow not working

[Marcin Majcherczyk]

Hello Group,

Seems like there was plenty of changes from v6.6 to 7.2 and after upgrade cfg stopped work. We are using CAS with OpenID via webflow to authinticate users via AAD Enterprise application.

After upgrade to CAS 7.2 i can see errors:

No delegated authentication providers could be determined based on the provided configuration.

WARN [org.apereo.cas.authentication.DefaultAuthenticationManager] The resulting authentication attempt has not recorded any successes or failures.
This typically means that no authentication handler could be found to support the authentication request or the credential types provided.
The authentication handlers that were examined are: [ProxyAuthenticationHandler]

DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] Initialized context with request parameters [{service=[https://my.website]}]
DEBUG [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedIdentityProviders] The following clients are built: [[]]

similar case was reported here: https://groups.google.com/a/apereo.org/g/cas-user/c/AOgHVuZ0Qw8/m/uicc-AwOCAAJ but seems like there is no solution.

Does anybody have working configuration to use auth via Azure OIDC?

In the lab i'm using docker with cas.properties:

CasFeatureModule.Authentication.azuread.enabled=true

CasFeatureModule.DelegatedAuthentication.enabled=true

CasFeatureModule.DelegatedAuthentication.dynamic-discovery.enabled=true

cas.server.name=https://192.168.1.83:8444

cas.server.prefix=${cas.server.name}/cas

#logging.config=file:/etc/cas/config/log4j2.xml

server.ssl.enabled=true

server.ssl.key-store=file:/etc/cas/cas-keystore.p12

server.ssl.key-store-password=changeit

server.ssl.key-password=changeit

server.ssl.key-store-type=PKCS12

server.ssl.key-alias=cas

cas.authn.pac4j.oidc[0].azure.id={ID}

cas.authn.pac4j.oidc[0].azure.secret={SECRET}

cas.authn.pac4j.oidc[0].azure.discovery-uri=https://login.microsoftonline.com/{cut}/v2.0/.well-known/openid-configuration

cas.authn.pac4j.oidc[0].azure.auto-redirect-type=SERVER

cas.authn.pac4j.oidc[0].azure.client-name=USOSCAS

cas.authn.pac4j.oidc[0].azure.enabled=true

cas.authn.pac4j.oidc[0].azure.principal-id-attribute=email

cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email

cas.authn.pac4j.oidc[0].azure.tenant={TENANT}

but unfortunately this config does not redirect to MS login page.

[Pablo Vidaurri]

Do you have correct pac4j lib?

implementation "org.apereo.cas:cas-server-support-pac4j-oidc"

I tried to go to CAS 7.1 but had issues with Azure B2C (entraId) so I had to stay on 6.6.15.1 using generic OIDC.

Can you try defining OIDC client under allowedProviders in your service file:

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": "^https?://xxxxx.*",
  "name": "xxxxx",
  "id": 2019032500020,
  "evaluationOrder": 12345,
   "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true,
    "delegatedAuthenticationPolicy" : {
        "@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
        "allowedProviders" : [ "java.util.ArrayList", [ "USOSCAS" ] ],

        "permitUndefined": true,
        "exclusive": true
    }
  }

[Ray Bon]

Marcin,

Check pac4j debug logs, https://apereo.github.io/cas/7.2.x/integration/Delegate-Authentication.html#troubleshooting

...
<Logger name="org.pac4j" level="debug" additivity="false">
    <AppenderRef ref="casConsole"/>
    <AppenderRef ref="casFile"/>
</Logger>
...

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Marcin Majcherczyk <mou...@gmail.com>
Sent: June 11, 2025 06:13
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.2 OIDC with webflow not working

 

You don't often get email from mou...@gmail.com. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c012fa9-20d8-4fdb-a2cb-7831f8d1d685n%40apereo.org.

[Marcin Majcherczyk]

I've managed to run it somehow, it looks like Docker image does not load "pac4j-oidc https://apereo.github.io/cas/7.2.x/installation/Docker-Installation.html.

Some parameters are changed but i've adjusted all config.

It's possible to load it with environment parameter or i need to make custom build with https://getcas.apereo.org/ui ?

[Marcin Majcherczyk]

It looks like pac4j is not available in docker image of CAS. It's possible to load it with parameter? I don't see any parameters in description: https://apereo.github.io/cas/7.2.x/installation/Docker-Installation.html

I've managed to generate cas.war with help of https://getcas.apereo.org/ui and i've selected pac4j library to add and it partially worked out - redirecting to Entra and auth succeeded.

środa, 11 czerwca 2025 o 17:11:22 UTC+2 Ray Bon napisał(a):

[Ray Bon]

Marcin,

In addition to the package suggested by Pablo, you may also need:

implementation "org.apereo.cas:cas-server-support-pac4j-webflow"

See https://apereo.github.io/cas/7.2.x/integration/Delegate-Authentication.html

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Marcin Majcherczyk <mou...@gmail.com>

Sent: June 11, 2025 09:55
To: CAS Community <cas-...@apereo.org>
Subject: Re: [cas-user] CAS 7.2 OIDC with webflow not working

 

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/66cac02b-d378-4959-84de-a49955cb759dn%40apereo.org.