CAS delegated auth to SAML in Azure doesn't attribute in AuthnReqest XML (7.2.1)

[BJ Sys Admin]

I have been working on configuring a new CAS server to do delegated SAML2 auth with Azure as IdP. I nearly have it working but I'm now facing an issue with the XML generated by CAS for the authentication request.

CAS is generating XML for the SAML request that looks like this:

######## BEGIN AUTHNREQUEST XML ########

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://cas01.XXX.XXX/cas/login?client_name=SAML2CLIENT"
                     AttributeConsumingServiceIndex="0"
                     Destination="https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/saml2"
                     ForceAuthn="false"
                     ID="_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
                     IsPassive="false"
                     IssueInstant="2025-04-24T20:51:39.720Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  NameQualifier="https://cas01.XXX.XXX"
                  >https://cas01.XXX.XXX</saml2:Issuer>
</saml2p:AuthnRequest>

######### END AUTHNREQUEST XML #########

I've highlighted two lines that define the Format and NameQualifier attributes of the Issue element. When my tenant in Azure receives this request, it throws a AADSTS75005 error (invalid SAML protocol message). However, if I manually modify the XML to remove either of the two highlighted attributes (or both) and resubmit, the request clears and I am able to authenticate.

I've been looking and have not yet found any way to remove one or both of these attributes from the XML that is generated by CAS and sent (via the client browser) to Azure. Does anyone know if there is a way to remove at least one of these attributes so that delegated SAML2 auth will work with Azure?

[BJ Sys Admin]

The UseNameQualifier property noted on this page may be what I'm looking for, but I'm at a loss for how to manually configure this property. All of the documentation I'm looking at appears to assume some level of understanding that is not spelled out and that I don't have. I'm attempting to do this with CAS Overlay and gradle.

It appears that the default for this property may be defined in the Pac4jSamlClientProperties.java file.

[Ray Bon]

Do you mean this property, cas.authn.pac4j.saml[0].use-name-qualifier

You can add it to your existing saml config. It is a boolean.

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of BJ Sys Admin <bjune...@gmail.com>
Sent: April 25, 2025 13:18
To: CAS Community <cas-...@apereo.org>
Cc: BJ Sys Admin <bjune...@gmail.com>
Subject: [cas-user] Re: CAS delegated auth to SAML in Azure doesn't like attribute in AuthnReqest XML (7.2.1)

 

You don't often get email from bjune...@gmail.com. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b171d019-68e9-48a2-a81e-3534675668a5n%40apereo.org.

[BJ Sys Admin]

Thank you! That's exactly what I was looking for. I put it in my application.yml file and that did the trick. For anyone else who may land here, the config in the application.yml file looks more like:

cas:

  authn:

    pac4j:

      saml[0]:

        use-name-qualifier: false