CAS + Azure AD Auth Delegation

357 views
Skip to first unread message

Bartosz Nitkiewicz

unread,
Apr 22, 2021, 1:18:55 PM4/22/21
to CAS Community
Hi. I got stucked. I've managed to delegate auth to Azure AD. I can login with my user and password. But after that I have AADSTS900971: No reply address provided.

I don't know how to set it up properly.

My registered CAS app (Azure) is redirected to my CAS server https://example.org/cas with enable ID tokens and Access tokens.

  "cas.authn.pac4j.oidc[0].azure.autoRedirect": "true",
  "cas.authn.pac4j.oidc[0].azure.clientName": "Azure",
   "cas.authn.pac4j.oidc[0].azure.enabled": "true",
  "cas.authn.pac4j.oidc[0].azure.id": "xxxxx",
  "cas.authn.pac4j.oidc[0].azure.responseMode": "form_post",
  "cas.authn.pac4j.oidc[0].azure.responseType": "id_token",
  "cas.authn.pac4j.oidc[0].azure.scope": "openid",
  "cas.authn.pac4j.oidc[0].azure.secret": "xxxxxx",
  "cas.authn.pac4j.oidc[0].azure.tenant": "xxxxx",
  "cas.authn.pac4j.oidc[0].azure.useNonce": "true",

I don't know if it is ok?
Any hints?

Ray Bon

unread,
Apr 22, 2021, 2:18:08 PM4/22/21
to cas-...@apereo.org
Bartosz,

After successful login on azure, cas will redirect to your intended service.

Are there any error messages in the logs?

Ray

On Thu, 2021-04-22 at 10:18 -0700, Bartosz Nitkiewicz wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. 
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Bartosz Nitkiewicz

unread,
Apr 22, 2021, 2:27:14 PM4/22/21
to CAS Community, Ray Bon
I want to setup Azure as default auth for all services. But it gives me this error  AADSTS900971: No reply address provided.
There are no logs on CAS server side.
I think that I have missconfigure something during Azure app registration. I don't know how it shoud be configure. I want to delagate auth to Azure through OIDC.
I've read that You have it working :)

Ray Bon

unread,
Apr 22, 2021, 4:58:02 PM4/22/21
to cas-...@apereo.org, bar...@nitkiewicz.eu
Bartosz,

The only cas properties I have that you do not are:
cas.authn.pac4j.oidc[0].azure.discoveryUri=https://login.microsoftonline.com/[tenant id goes here]/oauth2/v2.0/
cas.authn.pac4j.oidc[0].azure.logoutUrl=https://login.microsoftonline.com/common/oauth2/logout

When I go from cas to azure, this is the link (from developer tools):
https://login.microsoftonline.com/[tenant id goes here]/oauth2/authorize?response_type=code&redirect_uri=https://local.uvic.ca/cas/login?client_name=CasAsAClient&state=TST-1-...&client_id=[client id goes here]&scope=openid profile email

In azure I added an app registration called CasAsAClient. In this application I have a web redirect url, https://local.uvic.ca/cas/login?client_name=CasAsAClient

I do not have specific notes on the steps I took. I did read a lot of MS documentation and web tutorials.

Ray

Bartosz Nitkiewicz

unread,
Apr 23, 2021, 3:30:51 AM4/23/21
to CAS Community, Ray Bon, Bartosz Nitkiewicz
Ray, 

Thank You. Now its working as expected.

Regards 
Bartek

Rod B

unread,
May 26, 2023, 1:17:08 AM5/26/23
to CAS Community, Bartosz Nitkiewicz, Ray Bon, Bartosz Nitkiewicz
Hello Ray and Bartosz!
Thanks for posting your configs, I think I'm close to getting CAS working with Azure (going into detail to maybe help the next person)

For CAS 6.6.7

I added this module to build.gradle and built the cas.war:

// Azure support
implementation "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"


This is what my cas.properties is, on azure I made an app called "cas"

cas.authn.pac4j.oidc[0].azure.display-name= cas
cas.authn.pac4j.oidc[0].azure.auto-redirect-type= SERVER
cas.authn.pac4j.oidc[0].azure.client-name= cas
cas.authn.pac4j.oidc[0].azure.enabled= true
cas.authn.pac4j.oidc[0].azure.id= [client ap id of cas app]
cas.authn.pac4j.oidc[0].azure.response-mode= form_post
cas.authn.pac4j.oidc[0].azure.response-type= id_token
cas.authn.pac4j.oidc[0].azure.scope= openid
cas.authn.pac4j.oidc[0].azure.secret= [cas client app secret]
cas.authn.pac4j.oidc[0].azure.tenant= [tenant id]
cas.authn.pac4j.oidc[0].azure.use-nonce= true
cas.authn.pac4j.oidc[0].azure.discovery-uri= https://login.microsoftonline.com/[tenant id]/oauth2/v2.0/cas.authn.pac4j.oidc[0].azure.logout-url= https://login.microsoftonline.com/common/oauth2/logout

On Azure, I enabled id_token and set the redirect url to: 

https://cas.dev.schoolname.ca/cas/login?client_name=cas

service fiile for CasTest-1.json

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "http://cas-test.dev.ecuad.ca/wp-login.php*",
   "name" : "CasTest"
   "id" : 1,
   "evaluationOrder" : 1,

}

Catalina.out when I go to the Cas Test page (word press site):

2023-05-25 15:25:02,294 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: {result=Client Access Granted, service=http://cas-test.dev.schoolname.ca/wp-login.php, client=cas, registeredService=CasTest:http://cas-test.dev.ecuad.ca/wp-login.php*}

ACTION: DELEGATED_CLIENT_SUCCESS

APPLICATION: CAS

WHEN: Thu May 25 15:25:02 PDT 2023

CLIENT IP ADDRESS: xxxxxxxxxxx

SERVER IP ADDRESS: unknown

=============================================================


The problem I'm having is the web page will go to:

https://cas.dev.schoolname.ca/cas/login?client_name=cas

and time out. I'm not sure what I need to set so CAS (or Azure) will redirect to the WordPress site.

Any help is appreciated.

Thank you,

Rod

Pablo Vidaurri

unread,
Nov 17, 2023, 2:37:09 AM11/17/23
to CAS Community, Rod B, Bartosz Nitkiewicz, Ray Bon, Bartosz Nitkiewicz
Did you solve your problem? I get access my app, it redirects me to cas login page, I click on button to redirect me to Azure. I login into azure, looks like majic is happening .... but then i land back on my login page without being logged in.

My logs show login successful, I see the correct principle value but then last message:

WHO: audit:unknown
WHAT: {result=Client Access Granted, service=https://uat.xxxxxxxx.com/profile/home, client=AzureAdClient, registeredService=UAT:^https?://uat.xxxxxxxxx.com(/?|/.*)}
ACTION: DELEGATED_CLIENT_SUCCESS
APPLICATION: CAS
WHEN: Fri Nov 17 00:08:09 MST 2023
CLIENT IP ADDRESS: xxx.xxx.xx.xx, xxx.xxx.xx.xx
SERVER IP ADDRESS: uat.xxxxxx.com

Only difference I see from others is that my Azure App registration, it is named Newco-Test  but my cas.authn.pac4j.oidc[0].azure.client-name=AzureADClient (also using this AzureADClient value in Azure redirect URL). Unfortunately I cannot just update Azure prosperities.

-psv

Pablo Vidaurri

unread,
Nov 18, 2023, 4:13:13 PM11/18/23
to CAS Community, Pablo Vidaurri, Rod B, Bartosz Nitkiewicz, Ray Bon, Bartosz Nitkiewicz
It looks like this in only happening when I have a target/service query parameter at the login page
Reply all
Reply to author
Forward
0 new messages