SAML delegation CAS 6.6.x, which XML to use on ClientApp side, IDP or SP metadata?

[Yan Zhou]

HI there,

I am a bit confused with a couple configuration. 

Say,  client app (bootsp2) wants to authN against CAS 6.6.x via SAML2, which delegates to Okta IDP using SAML2.

CAS starts up fine, generates meta data for SP as well.

1. my CAS login page, under External Provider, shows "bootsp2", not "Okta".  this does not sound right. 

is that because of this line in cas.properties? i see no where else to indicate the name of the external provider.

cas.authn.pac4j.saml[0].clientName=bootsp2

2.  on my client app (bootstp2), it needs the IDP XML, which one should I use?

https://cinwl912vj2j.us.qdx.com:8443/cas/sp/metadata,  OR, 

https://cinwl912vj2j.us.qdx.com:8443/cas/sp/idp/metadata

it feels like I need to take sp/metadata and place it as IDP on client side, since the flow is for client -> CAS -> Okta?

thanks,

yan

[Ray Bon]

Yan,

There are two independent steps; bootstp2 -> cas (SP -> IdP), and cas -> okta (SP -> IdP).

See https://apereo.github.io/cas/6.6.x/protocol/Protocol-Overview.html#the-bridge for explanation.

Delegation can be per service or global. I have not used delegation so am unsure why the cas login page is showing; unless it is giving user a chance to select the IdP.

For the IdP XML for bootstp2, you can paste the url in your browser and see if the metadata is correct (for cas as IdP).

Ray

On Wed, 2023-08-16 at 08:26 -0700, Yan Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.