Still struggling with Azure AD delegated login
235 views
Skip to first unread message
Pablo Vidaurri
Jan 2, 2024, 11:31:58 AM1/2/24
to CAS Community
Hello, still struggling with getting Azure AD setup. Tried with both CAS 6.6.8 and 6.6.12.
- I am able to display the button for delegated login
- I get redirected to Azure when clicked
- I am able to login with my AD credentials
- I get redirected to my app with id_token query param which contains jwt of my user attributes
- I can verify the id_token value using jwt.ms to view the decoded token.
- I am able to see default casGenericSuccessView.html page with principal and user attributes from AD
- But it does not look like a session is actually created. https://mydomain.com/security/actuator/sso returns a 400
This is not problem when I use ldap to authenticate.
In my db, i see TransientSessionTicket and TicketGrantingTicket records being created.
I have the following config:
cas.authn.pac4j.oidc[0].azure.discovery-uri=https://login.microsoftonline.com/<hidden>/v2.0/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].azure.id=<hidden>
cas.authn.pac4j.oidc[0].azure.secret=<hidden>
cas.authn.pac4j.oidc[0].azure.tenant=<hidden>
cas.authn.pac4j.oidc[0].azure.mapped-claims.Email=upn
cas.authn.pac4j.oidc[0].azure.enabled=true
cas.authn.pac4j.oidc[0].azure.client-name=AzureAdClient
cas.authn.pac4j.oidc[0].azure.display-name=Azure AD
cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE
cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER
cas.authn.pac4j.oidc[0].azure.logout-url=https://login.microsoftonline.com/common/oauth2/logout
cas.authn.pac4j.oidc[0].azure.use-nonce=true
cas.authn.pac4j.oidc[0].azure.principal-attribute-id=userId
cas.authn.pac4j.oidc[0].azure.response-mode=form_post
cas.authn.pac4j.oidc[0].azure.response-type=id_token
cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email
Any insight would be appreciated.
-psv
Pablo Vidaurri
Jan 2, 2024, 9:33:58 PM1/2/24
to CAS Community, Pablo Vidaurri
It looks like TGC is getting clobbered.
On redirect back to CAS with id_token: https://mydomain.com/cas/login?id_token=<REMOVED>&state=bfed6b9641&session_state=<REMOVE>&client_name=AzureAdClient
This is out of the box CAS v 6.6.14.
I'm getting two TGC cookie values:
TGC=<REMOVED>; Path=/cas; SameSite=None; Secure; HttpOnly
LANGUAGE_OPTION=en; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
TGC=""; Version=1; Path=/cas; Secure; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Comment="CAS Cookie"
LANGUAGE_OPTION=en; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
TGC=""; Version=1; Path=/cas; Secure; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Comment="CAS Cookie"
This is out of the box CAS v 6.6.14.
-psv
Pablo Vidaurri
Jan 5, 2024, 1:00:48 AM1/5/24
to CAS Community, Pablo Vidaurri
To close on this issue. I found it was related to having to TGC cookies. Stumbling across this post, I see the same use case being an issue since 2021. I have users either login into CAS login page directly which authenticates against LDAP or the user clicks on a delegated login button (out of the box function via config) which redirects them to Azure AD for authentication. It is when the user clicks on the Azure AD button that I get two TGC and no session get created on the browser.
I've worked around this for now by commenting out this line from InitialFlowSetupAction.java configureWebflowForTicketGrantingTicket method.
clearTicketGrantingCookieFromContext(context, null);
-psv
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages