buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider

635 views

Skip to first unread message

Steve Hespelt

unread,

Apr 17, 2018, 4:40:21 PM4/17/18

to CAS Community

also posted in the "Pac4j users mailing list" group as well.

Hi, I'm hoping my usage is pretty common & someone has already made this scenario work properly.

My objective is to use the bujio-pac4j-demo-master (3.2.0-SNAPSHOT) project as a starting point as a CAS client, having CAS delegate via the pac4j webflow support, eventually I want to make use of the SSO, ticket management in CAS 5.2.x (5.2.2 currently).

The intended webflow: demo app (buji-pac4j-demo-master) security filter redirects to CAS via the buji-pac4j CasClient.loginUrl=https://localhost:8443/cas/login which will redirect to Google

OIDC auth url, with flow eventually returning credentials, profile info to the SecurityFilter to redirect to original requested URL (eg. https://localhost:8449/cas/index.jsp)

I've got the buji-pac4j-demo-master configured so I can test using jetty (using https on port 8449).

initial CAS 5.2.3 setup is with 1 delegated IDP. per https://apereo.github.io/cas/5.2.x/integration/Delegate-Authentication.html, I added the cas-server-support-pac4j-webflow (5.2.3) artifact to the CAS overlay's pom.

my CAS 5.2.2 server is listening for incoming https connections on port 8443.

So, my understanding is that CAS will not bother with the CAS generated login page, but (autoRedirect==true) will just redirect the login request to the 1 configured delegated IDP.

This works as I expect, I get the usual Google login page, I authenticate & I get redirected but only back to the CAS login page.

BUT, while it looks as though CAS is processing the redirect from Google [see below log msgs involving org.pac4j.oidc.credentials.extractor.OidcExtractor], no sign that it is responding to the application's request - lots of gory details below gives me reason to suspect that. First is the response code of 200 on the redirect for CAS to process Google's response.

So my embarrassingly large post boils down to: What am I missing to get CAS to finish the webflow by returning the response with the authenticated credentials back the initial requesting app, the pac4j demo's SecurityFilter? Any chance it's related to the below response header showing for a Set-Cookie field with the following: Secure; HttpOnly ?

Thank you for any insights.

-steve

my cas.properties contains the following cas.authn.pac4j.* settings.

cas.authn.pac4j.autoRedirect=true

cas.authn.pac4j.oidc[0].id=******.apps.googleusercontent.com

cas.authn.pac4j.oidc[0].secret=****my-secret****

cas.authn.pac4j.oidc[0].type=GOOGLE

cas.authn.pac4j.oidc[0].scope=openid profile

cas.authn.pac4j.oidc[0].clientName=GoogleOIDC

cas.pac4j.oidc.discoveryUri=https://accounts.google.com/.well-known/openid-configuration

My Google console authorized redirect URIs has 1: https://localhost:8443/cas/login?client_name=GoogleOIDC

So the following is working:

SecurityFilter is generating a 302 redirect response to the initial (unauthenticated) request for https://localhost:8449/cas/index.jsp

reponse header has location=https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallback%3Fclient_name%3DCasClient

Server: Jetty(9.3.8.v20160314)

redirect sent to CAS is: https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallback%3Fclient_name%3DCasClient

response header has location=https://accounts.google.com/o/oauth2/v2/auth? response_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw

response header also has Set-Cookie: JSESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; Path=/cas; Secure; HttpOnly

This results in the CAS instance redirecting via 302 response the following request URL (same as response location above):

https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw

I get the Google login page, enter my credentials and the generated response is a 302 redirect

reponse header has location=https://localhost:8443/cas/login?client_name=GoogleOIDC&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw&code=4/AAA9qlRlbkuWmFzJO1nvr23LnRf4HVoMu9eqJeQ-nzq922D375okGqD52Dv_haMQIYAkV5ikouz3NAtLbJg2csA&authuser=0&session_state=da7bae9eb4fa3459e15f94e81f06a8258c41c9c1..b186&prompt=none#

state value matches the value provided in above CAS (pac4j oidc code) redirect - good.

The redirect response has a status code: 200. request cookie has TGC key, SESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; JSESSIONID=sghbip4bak977llku5mld199

and Referer: https://localhost:8449/

So the cas_audit.log has: (time matches Chrome's display of the request/response details)

WHO: null

WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@365bbddf[id=<null>]]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Tue Apr 17 10:28:23 EDT 2018BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - Starting authentication

BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - requestedUrl: https://localhost:8449/cas/index.jsp

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

in the cas.log:

2018-04-17 10:28:22,773 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is set to [null] and path [/cas/]>

2018-04-17 10:28:22,774 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set to [null] and path [/cas/]>

2018-04-17 10:28:22,774 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null>

java.lang.NullPointerException: null

at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3]

[... stack dump deleted]

2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@66a4100b[id=https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@638341b0[]]>

2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://localhost:8449/callback?client_name=CasClient]>

2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Placing service in context scope: [https://localhost:8449/callback?client_name=CasClient]>

2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [null]>

2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Placing service in context scope: [https://localhost:8449/callback?client_name=CasClient]>

2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [null]>

2018-04-17 10:28:22,777 DEBUG [org.pac4j.oidc.redirect.OidcRedirectActionBuilder] - <Authentication request url: https://accounts.google.com/o/oauth2/v2/auth?resp

onse_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclie

nt_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw>

2018-04-17 10:28:22,777 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <[GoogleOIDC] -> [https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw]>

2018-04-17 10:28:22,777 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationActiorg.pac4j.oidc.credentials.extractor.OidcExtractoron] - <cssClass for GoogleOIDC is fa fa-lock GoogleOIDC >

2018-04-17 10:28:22,777 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Auto-redirecting to client url [https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw]>

2018-04-17 10:28:22,973 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null>

java.lang.NullPointerException: null

at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3]

[... stack dump deleted]

2018-04-17 10:28:22,983 DEBUG [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - <No service is specified in the request. Skipping service creation>

2018-04-17 10:28:22,986 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>

2018-04-17 10:28:22,986 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not generate service.>

2018-04-17 10:28:22,990 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [GoogleOIDC]>

2018-04-17 10:28:22,990 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Client: [#GoogleOidcClient# | name: GoogleOIDC | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | urlResolver: org.pac4j.core.http.DefaultUrlResolver@1e0cd3ba | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@10319bc1 | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | uorg.pac4j.oidc.credentials.extractor.OidcExtractorseNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | clientName: GoogleOIDC | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretPost@60d65eb5 | | profileCreator: #OidcProfileCreator# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | | logoutActionBuilder: org.pac4j.core.logout.GoogleLogoutActionBuilder@62ab27eb | configuration: #OidcConfiguration# |:

2018-04-17 10:28:22,991 DEBUG [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication response successful>

2018-04-17 10:28:23,188 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response: status=200, content={

"access_token": "ya29.GlygBV8fhxUWJ1VFv9n7_WdEpxsGAe-govM6B8eIkqlig3SheZdFj-8k2JQetxaNpnCsiqzuxVe5myRRHP0Kws4MGadlrhB2yO7vzV7jkmO2uWFQH5FKzQ2YWt6YnA",

"token_type": "Bearer",

"expires_in": 3599,

"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjU0MjViYjg0NjE2ZWJmOTczYWU4MGJjNjJhYzY4OGQyYTcyNzE1YWQifQ.eyJhenAiOiIxMDU4NTQ3ODc5OTctNXZsM2dtdWo4b2ptYWNraXE4NnJldHJlN2JiNXF1b3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIxMDU4NTQ3ODc5OTctNXZsM2dtdWo4b2ptYWNraXE4NnJldHJlN2JiNXF1b3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTQ3NTYwNzQ2MTA0NjY3NTE5MDAiLCJhdF9oYXNoIjoiNzBxNGU5ejZmY1FKWG1mSjRVajdHQSIsImV4cCI6MTUyMzk3ODkwMywiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwiaWF0IjoxNTIzOTc1MzAzLCJuYW1lIjoiU3RldmUgSGVzcGVsdCIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVFydzN5LVJ1cWwwL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBL0FDTEd5V0FpWll1S0E3NVZTQ1JiUWdSdFgwakNCRU9DckEvczk2LWMvcGhvdG8uanBnIiwiZ2l2ZW5fbmFtZSI6IlN0ZXZlIiwiZmFtaWx5X25hbWUiOiJIZXNwZWx0IiwibG9jYWxlIjoiZW4ifQ.BF3PSAdB76QDiMFCAATermVenFYt_qXcTNQiZyf4xct1L5hClWuPPs2YQK1PDGJk4_Vg7mkZEjSSAIwqAhzH8qn5p62PpuxDNYkvjhtQXUZhQWnd0DdFUNwMGRR_La3sBMLj_X0-1tAyZ37Rib2hmTz7fa-pJjsiDQfbYmbX8LCSXNdnPy8madHjdzGXvTbGvsSQBulNEvBUOr83yD7TEmhLO49vpZK7hlX3Cg8eqDY0DwIZ0TuZ6yZsuQCrjS6MPFwDnJRztMj-w_KnwBeYlv2tpOBd5MGai-fr0FBy5PiMcQp_8xR0IyHpagp7onyh1n0o-JZEOmRdHLbffCFQcQ"

2018-04-17 10:28:23,189 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response successful>

2018-04-17 10:28:23,189 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - <Credentials validation took: 198 ms>

2018-04-17 10:28:23,189 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Retrieved credentials: [#OidcCredentials# | code: 4/AAA9qlRlbkuWmFzJO1nvr23LnRf4HVoMu9eqJeQ-nzq922D375okGqD52Dv_haMQIYAkV5ikouz3NAtLbJg2csA | clientName: GoogleOIDC | accessToken: ya29.GlygBV8fhxUWJ1VFv9n7_WdEpxsGAe-govM6B8eIkqlig3SheZdFj-8k2JQetxaNpnCsiqzuxVe5myRRHP0Kws4MGadlrhB2yO7vzV7jkmO2uWFQH5FKzQ2YWt6YnA | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@6dcc4216 |]>

2018-04-17 10:28:23,189 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Retrieve service: [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@66a4100b[id=https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]>

2018-04-17 10:28:23,190 WARN [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Service [null] is not allowed to use SSO.>

2018-04-17 10:28:23,191 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

2018-04-17 10:28:24,137 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null>

java.lang.NullPointerException: null

at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3]

nothing further to indicate that CAS is responding to the initial request with the authentication info.

from the buji-pac4j-demo-master log:

BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - === SECURITY ===

BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - url: https://localhost:8449/cas/index.jsp

BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - matchers: null

BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - clients: CasClient

BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - loadProfilesFromSession: true

BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - profiles: []

BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - Starting authentication

BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - requestedUrl: https://localhost:8449/cas/index.jsp

that's it. no response processing log msgs,

Jérôme LELEU

unread,

Apr 18, 2018, 5:03:47 AM4/18/18

to CAS Community

Hi,

It looks more like a CAS issue than like a pac4j issue, so I will answer on this thread.

I guess the NullPointerException blocks the regular web flow and is the root cause.

Can you copy/paste the full stack trace?

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ca692d8-2406-433e-8ded-30b326c24e94%40apereo.org.

Steve Hespelt

unread,

Apr 18, 2018, 7:46:08 AM4/18/18

to CAS Community

Hi Jérôme,

Thank for replying to my post, much appreciated.

I've attached the entire sequence of log messages I captured during the test case I described. I've replaced the actual OIDC clientId with '****myClientID*****'.

I suspect I've not set some CAS config properties that are affecting the scenario. I try to make the minimal amount of changes as I'm try to assess the impact. Too many changes -> who knows why I'm seeing certain behaviors? That & I'm quite new to setting up CAS... Hence tiny steps before I try a full sprint.

shortly after startup, the following WARNing message are seen:

2018-04-17 07:45:53,170 WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST upon container restarts. This MAY impact SSO functionality.>

2018-04-17 07:45:53,175 INFO [org.apereo.cas.configuration.support.Beans] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to handle encryption, signing and verification of ticket registry tickets, and verify the chosen ticket registry does support this behavior.>

[...]

2018-04-17 07:46:47,082 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>

2018-04-17 07:46:47,098 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [Qup4oxtWcH9AYcwrtKbChZB0AisFH142JJzLjqKsGnE] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>

2018-04-17 07:46:47,098 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Creating encryption key instance based on provided secret key>

2018-04-17 07:46:47,102 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Initialized cipher encryption sequence via content encryption [A128CBC-HS256] and algorithm [dir]>

2018-04-17 07:46:47,102 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>

it is my intention to take care of the the signing key 'eventually'. Any chance this is causing the issue & I should address the warnings before proceeding with anything else? I have been assuming that if these warnings had additional impacts, that there would be additional WARNing messages from the higher level components that would be impacted (ie. if a lookup performed while processing the Google response fails & therefore the final redirect back to the app [buji-pac4j demo running via jetty] can't happen, that should be either an ERROR or WARNing as functionality is definitely affected :-)

Again, thanks for taking a look at my posting & the attached stack trace.

-steve

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

stack-trace.txt

Steve Hespelt

unread,

Apr 18, 2018, 2:46:41 PM4/18/18

to CAS Community

Maybe I should have asked this question first ?

Is my understanding of the redirect URL correct? - As I posted in the initial posting, the redirect URL in the OAuth response (location field) generated by Google is https://localhost:8443/cas/login?client_name=GoogleOIDC&state=psLOvvu3QEgUDR8DdmSZZOwwRXD5wDU8Sgqq7ao37DU&code=4/AABeT1PuD_ZT1njwxetjM3BIAqvvGA21YtqjnlkZuPLF_kjOKH1ola06tAT3I7iuXsH2pRr-VplYXudeNBTZavY&authuser=0&session_state=3ea60fde75e82d25498b33b2aa034805da931cee..5c37&prompt=none#
This same URL is what CAS placed within the OAuth request (via the pac4j code?), so the flow should result in CAS issuing 1 more redirect, this last redirect having location=https://localhost:8449/

The DEBUG entries suggest this is being set up when the SecurityFilter redirect first hits CAS: - any chance the log entry at 10:28:22,776 where clientName: [null] is an issue?

2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Placing service in context scope: [https://localhost:8449/callback?client_name=CasClient]>

2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [null]>

2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Save service: [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@66a4100b[id=https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]>

bumping up the logging level to trace for doesn't indicate to me what's happening to the initial redirect (but my glasses are 7 years old...)

interesting stuff starts at 14:00:38,346

via <Retrieved credentials: ... @ 2018-04-18 14:00:39,599, it appears as though the CAS server is parsing out the Google OIDC response.

14:00:42,592 TRACE

@ 14:00:42,827, there are TRACE logs showing the CAS server returning pages used to construct the CAS login page. So it had decided not to redirect to the original app (buji-pac4j demo jetty process).....

I hope these additional details might help.

Thanks,

-steve

trace-logs.txt

Steve Hespelt

unread,

Apr 19, 2018, 1:46:35 PM4/19/18

to CAS Community

Hi Jérôme,

I found an earlier posting from 12/21/17 regarding the NPEs, so as suggested by that posting, I restarted CAS & then cleared all related cookies from the browser. Once I restart CAS & re-initiated the same flow, no more NPE as shown in my log.

But I still have the problem with the webflow not finishing as I expect.

I increased the log level to trace on a few packages:

org.apereo.cas.web.flow

org.springframework.webflow

org.springframework.session

org.springframework.web

org.springframework.web.socket

Some log entries of interest (to me): (and I'm currently guessing the issue may be related to a SSO log msg at 2018-04-19 11:53:23,186 below. Why would a service not be allowed to use SSO ?

-steve

2018-04-19 11:53:01,183 TRACE [org.springframework.web.servlet.DispatcherServlet] - <Bound request context to thread: org.apache.catalina.connector.RequestFacade@33327a12> <- this object ref# shows up later, at the bottom so I'm correlating this initial log with the later ('completion' ) log msg below with the same object ref#...

2018-04-19 11:53:01,183 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet with name 'dispatcherServlet' processing GET request for [/cas/login]>

2018-04-19 11:53:01,209 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <Publishing event in org.apereo.cas.web.CasWebApplicationContext@222545dc: ServletRequestHandledEvent: url=[/cas/login]; client=[0:0:0:0:0:0:0:1]; method=[GET]; servlet=[dispatcherServlet]; session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms]; status=[OK]> <- From the pac4j demo's SecurityFilter redirect to initial request on /cas/index.jsp

2018-04-19 11:53:22,914 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet with name 'dispatcherServlet' processing GET request for [/cas/login]>

2018-04-19 11:53:22,921 TRACE [org.springframework.web.servlet.DispatcherServlet] - <Testing handler map [org.springframework.webflow.mvc.servlet.FlowHandlerMapping@2ee91bdf] in DispatcherServlet with name 'dispatcherServlet'>

2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping request with URI '/cas/login' to flow with id 'login'>

2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.executor.FlowExecutorImpl] - <Launching new execution of flow 'login' with input map['state' -> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']>

2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - <Getting FlowDefinition with id 'login'>

2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - <Creating new execution of 'login'>

2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Starting in org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f with input map['state' -> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']>

2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.engine.Flow] - <Creating [FlowVariable@c58f8bd name = 'credential', valueFactory = [BeanFactoryVariableValueFactory@5cab14e3 type = UsernamePasswordCredential]]>

2018-04-19 11:53:22,922 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@29e2f697 expression = initialFlowSetupAction, resultExpression = [null]]>

2018-04-19 11:53:22,922 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f>

2018-04-19 11:53:22,922 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is set to [null] and path [/cas/]>

2018-04-19 11:53:22,922 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set to [null] and path [/cas/]>

2018-04-19 11:53:22,923 DEBUG [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - <No service is specified in the request. Skipping service creation>

2018-04-19 11:53:22,923 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>

2018-04-19 11:53:22,923 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not generate service.>

2018-04-19 11:53:22,924 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f; result = success>

[...]

2018-04-19 11:53:22,924 DEBUG [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication response successful>

2018-04-19 11:53:23,183 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response: status=200, content={

"access_token": "ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA",

"token_type": "Bearer",

"expires_in": 3599,

"id_token": "eyJhbGc [...]DQ"

}

2018-04-19 11:53:23,184 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response successful>

2018-04-19 11:53:23,184 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - <Credentials validation took: 260 ms>

2018-04-19 11:53:23,184 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Retrieved credentials: [#OidcCredentials# | code: 4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME | clientName: GoogleOIDC | accessToken: ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@65ff182d |]>

2018-04-19 11:53:23,184 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Retrieve service: [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id=https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]>

^^^^ so CAS has the callback to provide the pac4j demo the credentials

2018-04-19 11:53:23,186 TRACE [org.apereo.cas.util.CollectionUtils] - <Converting attribute [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler@462b239f]>

2018-04-19 11:53:23,186 WARN [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Service [null] is not allowed to use SSO.>

2018-04-19 11:53:23,187 TRACE [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(Authentication org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(Authentication

Transaction))]>

2018-04-19 11:53:23,187 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

[...]

2018-04-19 11:53:23,190 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting to handle [org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.support.pac4j.web.f

low.DelegatedClientAuthenticationAction@7ce721a9 in state 'clientAction' of flow 'login' -- action execution attributes were 'map[[empty]]'] org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@7ce721a9 in state 'clientAction' of flow 'login' -- action execution attributes were 'map[[empty]]'

at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.engine.Flow.start(Flow.java:527) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE]

at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) ~[spring-webflow-2.4.6.RELEASE.j

2018-04-19 11:53:23,211 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - <Rendering MVC [org.thymeleaf.spring4.view.ThymeleafView@5a9194a2] with model map [{passwordManagementEnabled=false, recaptchaSiteKey=null, viewScope=map[[empty]], warnCookieValue=false, org.springframework.validation.BindingResult.credential=org.springframework.webflow.mvc.view.BindingModel: 0 errors, staticAuthentication=true, flowExecutionUrl=/cas/login?client_name=GoogleOIDC&state=ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s&code=4%2FAAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME&authuser=0&session_state

=6cd666a9989ac714aac38521f950f380ba3fcfc0..b199&prompt=none&execution=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAAA [...] AAA%3D, rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: service.not.authorized.sso, flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> [null]], attributes = map[[empty]], messageContext = [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> false, 'staticAuthentication' -> true, 'service' -> org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id=https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, currentUser=null, credential=null, flowExecutionKey=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAA [...] AA%3D, rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: service.not.authorized.sso, flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> [null]], attributes = map[[empty]], messageContext = [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> false, 'staticAuthentication' -> true, 'service' -> org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id=https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, currentUser=null, credential=null, flowExecutionKey=35aa2986

[...]

2018-04-19 11:53:23,237 DEBUG [org.apereo.cas.services.web.ChainingThemeResolver] - <No specific theme could be found. Using default theme [cas-theme-default}>

2018-04-19 11:53:23,266 DEBUG [org.springframework.webflow.engine.Transition] - <Completed transition execution. As a result, the new state is 'viewLoginForm' in flow 'login'>

2018-04-19 11:53:23,267 TRACE [org.springframework.web.servlet.DispatcherServlet] - <Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@33327a12> <- same object ref# as in the initial above log msg.

2018-04-19 11:53:23,267 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <Successfully completed request>

run-8443-maybe-SSO-issue.txt

Steve Hespelt

unread,

Apr 19, 2018, 4:39:17 PM4/19/18

to CAS Community

Well, I stumbled across a few config properties I decided to try (desperate people do desperate things...)

cas.http-web-request.cors.allow-credentials=true

# ? where are login requests coming from? Our webapp server name(s)

# is this needed to get the final redirect back to our app ??

cas.http-web-request.cors.allow-origins=localhost

# ??

cas.webflow.redirect-same-state=true

Restarted CAS, same test case.

now I see this warning log:

2018-04-19 15:47:48,430 WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - <Service Management: missing service. Service [https://localhost:8449/callback?client_name=CasClient] is not found in service registry.>

^^^^ I have to have a Service defined for the call back to the initial app ???

2018-04-19 15:47:48,432 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting to handle [org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@5fad865 in state 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause [org.apereo.cas.services.UnauthorizedServiceException: Service Management: missing service. Service [https://localhost:8449/callback?client_name=CasClient] is not found in service registry.]>

Has anyone actually gotten delegated authentication to flow from CAS back to an app that used the CAS protocol to request authentication to work? using CAS 5.2.x ? Reading tons of CAS docs have provided no magic beans, nor did any page mention having to have a call back service defined...

Am I frustrated? You bet.

Is it correct for me to assume that this use case is 'typical' and that being tyhttps://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical, the default webflow definitions in CAS 5.2.2 ought to provide for it working? The docs at https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html certainly suggest to me that's the case.

Sure would like to make use of many of the positive features described in CAS 5.2.x. But I have to wonder if I'm missing much of the necessary details. I would like to avoid implementing all the features myself. Never been a big fan of the "let's reinvent the wheel" school of development. But...

Any insights, magic beans greatly appreciated.

-steve

Jérôme LELEU

unread,

Apr 20, 2018, 9:04:25 AM4/20/18

to CAS Community

Hi,

I'm resuming on your latest message.

Yes, you do need a callback URL for your application.

This is the doc you are looking for: https://apereo.github.io/cas/5.2.x/installation/Service-Management.html

Every time you want an application to log in to the CAS server, the CAS server must know it. Thus the declaration of the CAS services and callback URLs.

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b04acace-f3d2-4d4e-a4e2-84314c92aa54%40apereo.org.

Alin Tomoiaga

unread,

Jul 21, 2021, 10:31:58 AM7/21/21

to CAS Community, leleuj

Hi @leleuj,

This is the behavior that I am seeing in 5.2.7:

- if I have a single delegated idp, this works https://myapppretectedwithcas?client_name=remoteidp1. It works great; get redirected to remoteidp1 comes back to app, great.

cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login

cas.authn.pac4j.cas[0].protocol=CAS20

cas.authn.pac4j.cas[0].clientName=remoteidp1

cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything

cas.authn.pac4j.autoRedirect=true # i guess this works

- but if I have two idps, then https://myapppretectedwithcas?client_name=remoteidp1 does not work anymore

cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login

cas.authn.pac4j.cas[0].protocol=CAS20

cas.authn.pac4j.cas[0].clientName=remoteidp1

cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything

cas.authn.pac4j.autoRedirect=true # i guess this works

cas.authn.pac4j.cas[1].loginUrl=https://remoteidp2/cas/login

cas.authn.pac4j.cas[1].protocol=CAS20

cas.authn.pac4j.cas[1].clientName=remoteidp2

Now, nothing works,

this does not work meaning the user is just presented with the WAYF page, but they are not sent to the IDPs directly

https://myapppretectedwithcas?client_name=remoteidp2

this does not work

https://myapppretectedwithcas?client_name=remoteidp1

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Alin Tomoiaga

unread,

Jul 21, 2021, 10:33:50 AM7/21/21

to CAS Community, Alin Tomoiaga, leleuj

Thank you very much, I appreciate your time and opinion.

Best,

Alin

Reply all

Reply to author

Forward

0 new messages