Hi,
Yes, it feels a bit too aggressive to return an IllegalArgumentException, but I think it makes sense as there is already a check via the hasDelegationRequestFailed method to know if the authentication has failed. The check may be incomplete though...
In fact, it's the responsibility of pac4j to handle cancelled/failed authentications and in that case, it returns a null credentials (for delegated authentications), but here, the CAS server takes over.
In any case, we should certainly avoid throwing an IllegalArgumentException when pac4j returns a null credentials.
How do you get the AuthnFailed SAML response?
Thanks.
Best regards,
Jérôme