CAS 5.2 PAC4J SAML 2.0 Delegation Behavior

362 views
Skip to first unread message

Tom O'Neill

unread,
Jan 24, 2019, 2:40:46 PM1/24/19
to cas-...@apereo.org

Hi All,

 

I am troubleshooting application integration and looking for some insight.

 

We have a CAS 5.2 instance with the PAC4J module, which is being used to delegate authentication to an IdP using SAML 2.0.

Based on some testing, it seems like the CAS server is delegating authentication to the IdP any time the CAS login method is hit.

 

We’re have the PAC4J autoRedirect property set to true – so I don’t expect or want CAS to present a login page but I also didn’t expect it to redirect to the IDP if the user has a valid TGT.

cas.authn.pac4j.autoRedirect=true

 

Can anyone confirm that this is the designed and expected behavior?

Is anyone aware of a different setting or combination of settings that might adjust the behavior to what I’m looking for?

 

Hopefully I’m missing something.

 

Thanks!!!

Tom

 

 

Tom O'Neill

unread,
Jan 24, 2019, 5:25:22 PM1/24/19
to cas-...@apereo.org

Hi All,

 

I did some additional testing and thought I’d provide an update…

 

It seems to me that when autoRedirect is set to ‘true’, the CAS TGT is ignored and the user is always sent on to authenticate at the IdP.

When autoRedirect is set to ‘false’ the CAS session is recognized OR the user can click a button which will delegate authentication to the IdP.

 

In other words, having autoRedirect set to true seems to negate the CAS TGT check.

I could see an argument for delegating every time and I could be overlooking a detail but I think it would be better to have it check for a CAS session and only delegate if the user isn’t already authenticated.

 

Thanks,

Tom

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB50098001DBCF6CAF1552DCE2CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com.

Jérôme LELEU

unread,
Jan 25, 2019, 2:05:53 AM1/25/19
to cas-...@apereo.org
Hi,

You're right: the TGT should be checked first. Notice that things have been fixed in 5.3, the autoRedirect property is still computed in the DelegationAuthenticationClientAction, but the redirection is applied on the HTML page.
Thanks.
Best regards,
Jérôme

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB5009C0CF6348943A69A8BEC9CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com.

Tom O'Neill

unread,
Jan 28, 2019, 9:32:33 AM1/28/19
to cas-...@apereo.org

Jérôme,

 

Thanks for confirming what I’m seeing and for the heads up that the behavior is adjusted in 5.3.

I updated my troubleshooting environment to 5.3 over the weekend and everything looks good after some initial testing.

 

Thank you for the help and your contributions to the project,

Tom

thai.q.nguyen

unread,
Jan 29, 2019, 6:04:22 PM1/29/19
to CAS Community
Hi there,

I am on 5.3.7 and the 'cas.authn.pac4j.autoRedirect=true' is no longer work.
I got this error:
Error creating bean with name 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not bind properties to CasConfigurationProperties (prefix=cas, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'cas.authn.pac4j.autoRedirect' from 'file:///etc/cas/config/cas-test.properties' to 'authn.pac4j.autoRedirect' property on 'org.apereo.cas.configuration.model.core.authentication.AuthenticationProperties'

and CAS is failed to start.

Any help is appreciated!

Thanks,

Thai

Charafeddine Youssef

unread,
Jan 29, 2019, 6:34:05 PM1/29/19
to cas-...@apereo.org
hi,

In CAS 5.3.7 many properties had changed and autoRedirect is one of them. So CAS does not recognize your syntax. Of memory i would say, autoRedirect is now specified fot each external saml 2 identity provider. So the right syntax is cas.authn.pac4j.saml[0].autoRedirect=true.

Best regards,
Charaf

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f92554b4-534b-4500-827a-df019ad7c3d3%40apereo.org.

thai.q.nguyen

unread,
Jan 30, 2019, 4:05:19 PM1/30/19
to CAS Community
Hi Charaf,

Thank for the tip!
cas.authn.pac4j.saml[0].autoRedirect=true clears the error and CAS is started.
However, CAS shows the login page (instead of redirect to IdP's login page).

Not sure if I miss something else.

Thanks,

Thai

thai.q.nguyen

unread,
Jan 30, 2019, 6:39:22 PM1/30/19
to CAS Community
Hi all,

It does redirect to IdP's login page.

Thanks,

Thai
Reply all
Reply to author
Forward
0 new messages