Delegated authentication : error app not registered

41 views
Skip to first unread message

Mohamed Amdouni

unread,
Sep 22, 2023, 10:56:52 PM9/22/23
to cas-...@apereo.org
Hello,

I'm trying to test a POC with CAS Delegated Authentication PAC4J.

The target Authentication flow is the following:

  1. Client requests access to SP (SAML client)
  2. SP redirects to my CAS Server (SAML IDP)
  3. CAS IDP displays the authentication methods (MENU)
  4. User selects oidcClient
  5. The oidc IDP displays the login page
  6. The authentication is accepted
  7. SP displays the secured ressource

The is no problem on the steps 1 to 6.

The 7th step does'nt work and CAS displays an error message (translated): "Application not authorized to use CAS... may be not registered application.."

The error message on the server is

ERROR [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Delegated client identifier cannot be located in the authentication request [http://localhost:8447/cas/login?code=kgh33f0wEwwRVIr-wS14uKjOFiJQGIv3oU_me-AKnEYZG&state=589160ah66&client_name=oidcFederation]>
ERROR [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <
    DefaultDelegatedClientAuthenticationWebflowManager.java:retrieveSessionTicketViaClientId:236
    DefaultDelegatedClientAuthenticationWebflowManager.java:retrieve:84
    DelegatedClientAuthenticationAction.java:restoreAuthenticationRequestInContext:285
>

The configuration is as the following :

cas.authn.pac4j.oidc[0].generic.type=GENERIC
cas.authn.pac4j.oidc[0].generic.useNonce=true
cas.authn.pac4j.oidc[0].generic.disable-pkce=true
cas.authn.pac4j.oidc[0].generic.scope=openid profile email
cas.authn.pac4j.oidc[0].generic.discovery-uri=https://{url}/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].generic.id={id}
cas.authn.pac4j.oidc[0].generic.secret={secret}
cas.authn.pac4j.oidc[0].generic.client-name=oidcFederation
cas.authn.pac4j.oidc[0].generic.principal-id-attribute=email
cas.authn.pac4j.oidc[0].generic.preferred-jws-algorithm=RS256
cas.authn.pac4j.oidc[0].generic.client-authentication-method=client_secret_basic
cas.authn.pac4j.oidc[0].generic.supported-client-authentication-methods=client_secret_basic,client_secret_post

The saml client is declared as the following:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "Example1",
  "name" : "example1",
  "theme" : "apereo",
  "id" :  10000322,
  "description" : "example1",
  "evaluationOrder" : 8,
  "metadataLocation" : "/etc/config/cas/clients/example1/metadata/example1_metadata.xml"
  }

in the log I can see : ACTION: DELEGATED_CLIENT_SUCCESS but after that it displays : ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED



When debugging the delegatedclientid request parameter is empty. Is it related to miss configuration. Can anyone share a working configuration sample thank you.

Best regards 


Reply all
Reply to author
Forward
0 new messages