Add signature back to Saml AuthnRequest with deletgatedAuthN?

18 views
Skip to first unread message

Yan Zhou

unread,
Sep 19, 2025, 6:13:21 PM (13 days ago) Sep 19
to CAS Community
hello,

CAS7 delegated authN via SAML, noticed that CAS signs request, the signature is one of HTTP request parameter, Not part of SAML authnRequest, 

this results in Okta responds with 400 bad request, I tried another app that generates siganture inside authnRequest, that works well with Okta.

Is there a way for CAS to keep the signature as part of SAML AuthNRequest?  Pac4jHTTPRedirectDeflateEncoder/doEncode() specifically removes the signature, does not have anyway to skip it.

thx!

CAS generated authnRequest during delegated authN to Okta

HTTP request
=============
SAMLRequest: nVNLj9owEL73V...............JGVDYHy7zsivpx1+R/QY=
RelayState: TST-6-WokcN.............247Q6
SigAlg: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Signature: KG7pM............F9F5BIzQ==

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://localhost:8743/cas/login?client_name=Okta"
                     AttributeConsumingServiceIndex="0"                     Destination="https://integrator.....okta.com/app/integrator-.............hn_1/exkux...........97/sso/saml"
                     ForceAuthn="false"
                     ID="_07b013f49ba14c36b4aea4636ea1fdebfee9f1c"
                     IsPassive="false"
                     IssueInstant="2025-09-19T18:35:11.876Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >https://localhost:8743/cas/samloktasp</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="true"
                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         />
</saml2p:AuthnRequest>

here is another App generated AuthnRequest that works well with Okta, 

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"
                Destination="https://integrator.......okta.com/app/integrator-....._1/exkux....697/sso/saml"
                     ForceAuthn="false"
                     ID="a55h3h9ije9cb3ig13eh144a1cg2eac"
                     IsPassive="false"
                     IssueInstant="2025-09-19T18:35:57.847Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8543/saml/metadata</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#a55h3h9ije9cb3ig13eh144a1cg2eac">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>Fc22AXihW86stnAjDZGNp31RuKM=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>RqKJZGss9xDkHOPr10hJ
..........

== END ==
Reply all
Reply to author
Forward
0 new messages