Example config for authing against Azure / O365?

[Richard Frovarp]

Does anyone have an example config or documentation on how to delegate
to Azure AD? This is operating at the very edge of my understanding, and
I'm having some difficulty. Not entirely sure what configs are required,
or exactly what to set in Azure.

Right now I have:

cas.authn.pac4j.oidc[0].type=AZURE
cas.authn.pac4j.oidc[0].id=<client id>
cas.authn.pac4j.oidc[0].secret=<client-secret>
cas.authn.pac4j.oidc[0].clientName=AZURE
cas.authn.pac4j.oidc[0].discoveryUri=https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].scope=openid email profile phone
cas.authn.pac4j.oidc[0].azureTenantId=<directory-id>


No idea if those scopes are right.

Getting:

2019-03-29 15:53:33,486 ERROR
[org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to
error page from request [/clientredirect] due to exception
[java.lang.ClassCastException: java.util.Collections$SingletonList
cannot be cast to java.lang.String]>
org.pac4j.core.exception.TechnicalException:
java.lang.ClassCastException: java.util.Collections$SingletonList cannot
be cast to java.lang.String
    at
org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113)
~[pac4j-oidc-3.6.1.jar:?]
    at
org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78)
~[pac4j-oidc-3.6.1.jar:?]
    at
org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109)
~[pac4j-core-3.6.1.jar:?]

Caused by: java.lang.ClassCastException:
java.util.Collections$SingletonList cannot be cast to java.lang.String
    at
com.nimbusds.oauth2.sdk.AuthorizationRequest.parse(AuthorizationRequest.java:972)
~[oauth2-oidc-sdk-5.62.jar:5.62]
    at
com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1374)
~[oauth2-oidc-sdk-5.62.jar:5.62]
    at
com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1340)
~[oauth2-oidc-sdk-5.62.jar:5.62]
    at
org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:110)
~[pac4j-oidc-3.6.1.jar:?]
    ... 98 more

Any suggestions would be helpful, because I'm having difficulty pulling
off the right search to find the right set of documentation at MS.

Thanks,

Richard

[Richard Frovarp]

Need to add CAS 5.3.9. I have Google and Twitter working through
delegated auth. So I have that much working.

[Łukasz Woźniak]

We use 5.2.9 version of CAS. And We have problem every day when user try to authenticate. They get "Unautorized access" and in log we get CSRF error:

State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery

Problem appear only first time every day. Any idea why ?

[Ray Bon]

Łukasz, This sounds like the client application is sending the user to CAS with one URL in the service parameter and a different URL when validating the service ticket. There should be log messages describing why the 'State paramerter ...' is output. You may have to turn up the log level. Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

[Łukasz Woźniak]

Problem is on connection Cas <> Azure/OpenId. State Parameter for CSRF is null sometime when request come from Azure to Cas. I check and state is set on the Session.

[Łukasz Woźniak]

When user open CAS state parameter is set on the session, but when user comeback from Azure/OpenID state Parameter is exist on request but on the session is null.

[craab]

Where you able to solve this issue? I'm having the same problem. The state parameter is on the request url but not in the session.