only delegated (pac4j SAML) authentication and no button click

[Scott Koranda]

Hello,

I am running CAS 5.2.2.

I have successfully configured CAS to use pac4j for delegated authentication. Specifically CAS/pac4j is configured as a SAML SP. 

When I browse to a CAS client I am redirected to the CAS server login page. I can then click a button to kick off the SAML flow and am redirected to the SAML IdP for authentication. After returning to the CAS/pac4j SAML SP I am then redirected to the CAS client with a ticket, which is later validated and I successfully access the resource.

I would like the delegated SAML authentication flow to be the only CAS authentication mechanism and I would like it so that I do not have to click a button to kick off the SAML flow. Ideally the user would never "see" the CAS server at all.

I thought this configuration would make that happen:

cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true

cas.authn.policy.req.handlerName=Pac4j

cas.authn.policy.req.tryAll=false

cas.authn.policy.req.enabled=true

cas.authn.accept.users=

With this configuration I still see the login page and have to click a button to cause the SAML flow.

Is it possible to have the SAML flow start immediately without having to click the button? 

If so what configuration do I need?

Thanks,

Scott K

[Jérôme LELEU]

Hi,

You need to use the following property : 

# cas.authn.pac4j.autoRedirect=false

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e93b3d08-8bf3-42e3-b7e0-5e856b8f8af8%40apereo.org.

[Nicholas J. Koch]

Hi Scott,

your setup is exactly what I am looking for. But I am struggling to get the Idp setup correct. Could you provide your cas properties please to get me up and running? I am suffering from this bad documentation. Or let me put it this way, I am new to SAML :-).

Thank you!!

[sairam aagiru]

Hello Scott,

   I'm trying to integrate CAS with SAML using pac4j(CAS-server-support-pac4j-web flow) support project from CAS by following below document :

https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html

 I am using SSO(ACS) URL as https://witty.wavity.net/saml/login to consume SAML assertion. Now, when the user gets logged in at IDP i,e at okta it was redirecting to ACS URL with the forbidden error. So how can I configure CAS to consume SAML assertion from IDP and assert CAS to grant TGT to the SAML asserted user?

Can you please help me out with the steps I need to follow at CAS once it receives SAML assertion from any of the IDP.