json services and optional delegated login
131 views
Skip to first unread message
Pablo Vidaurri
May 9, 2025, 1:42:29 PM5/9/25
to CAS Community
I have a oidc delegated service to azure and it has
cas.authn.pac4j.oidc[0].generic.client-name=AzureClient
cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER
I then have a few service files that have:
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "AzureClient"] ],
"permitUndefined": false,
"exclusive": true
}
}
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "AzureClient"] ],
"permitUndefined": false,
"exclusive": true
}
}
Auto redirect to Azure works well.
But now I have another service that should not redirect and instead login via the cas/login page. For that, my service file simply has this for acceessStragegy:
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true
},
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true
},
But this is still redirecting to the AzureClient.
If I remove
cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER
from config, it is then not redirecting my clients intended for delegated login to AzureClient.
Any workarounds or something that I am missing? I also made sure the evaluationOrder looks for services meant for cas/login authentication first.
Another strange thing regarding evalutionOrder, I thought first one it finds is the one it uses. But i see in the logs, CAS is going thru each one with messages like
WHAT: {result=Client Access Granted,
WHAT: {result=Client Access Denied,
WHAT: {result=Client Access Granted,
regex matches both 1st and 3rd but i want 1st one (more specific regex) to be used.
-psv
Message has been deleted
leleuj
May 19, 2025, 3:21:25 AM5/19/25
to CAS Community, Pablo Vidaurri
Hi,
Yes, things are a bit tricky with the delegation redirection feature.
Which version of the CAS server do you use?
With v7.2.2, you should define:
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ ] ],
"permitUndefined": false,
"exclusive": false
}
}
"permitUndefined": false,
"exclusive": false
}
}
Thanks.
Best regards,
Jérôme
Pablo Vidaurri
May 20, 2025, 11:39:03 PM5/20/25
to CAS Community, leleuj, Pablo Vidaurri
Hi Jerome
I'm still on v6.6.15.1 ... looking to go to 7.2 soon but too many issue that I'm facing with that version.
I managed to get it working by leaving my service files as posted above but then setting
cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER
to value of NONE.
It is strange because from docs it looks like default value if not defined will be NONE but it only started working after I explicitly set to NONE.
-psv
Jérôme LELEU
May 21, 2025, 1:27:59 AM5/21/25
to Pablo Vidaurri, CAS Community
Hi,
Quite strange as NONE is indeed the default value.
6.6 is not so old but the core problem is that it no longer receives security fixes. It's worth taking a look at: https://apereo.github.io/
Thanks.
Best regards,
Jérôme
Reply all
Reply to author
Forward
0 new messages