Kyra, I will take wild guess and say that the claims (attributes?) are being cached by CAS. I recall others on this list asking about cached attributes.
Ray On Thu, 2019-02-28 at 01:29 -0800, kyra1510 wrote: Hi all, I have a problem with CAS 5.3.8 when I tried to connect to two services with the same browser. I explain my problem below. I have one OIDC apereo where I delegate the authentication (with pac4j) to a SAML2 IDP. I have two OIDC services: service1 which releases the claims claim1 and claim2 and service1 have sub1 service2 which releases the claims claim2 and claim3 and service2 have sub2 The first connection works fine: - I connect to the OIDC apereo https://apereo.oidc.fr/oidc/authorize?response_type=code&client_id=service1.clientId&redirect_uri=service1.serviceId&scope=openid toto (toto is a custom scope) - After I choose the IDP SAML2 for the delegated authentication - I enter the username and password to log in - Then I am redirected to the apereo OIDC to the page where I can confirm service is authorized to have access to the claim claim1 and claim2 When I called the profile endpoint, I have claim1 and claim2 and sub1 The user have sub1 However the second connection is problematic - I connect to the OIDC apereo with service2 https://apereo.oidc.fr/oidc/authorize?response_type=code&client_id=service2.clientId&redirect_uri=service2.serviceId&scope=openid - The user is the same to the apereo IDP SAML2 - I am not redirected to the consent page where I can confirm the claim - But I gain an authorizatrion code When I called the profile endpoint, I have claim1 and claim2 and sub1. In the usual case, I should have claim2 and claim3 and sub2. It is not the service2 definition but the service1 definition. If I remove the cookies JSESSIONID and TGC, everything works fine. Thanks for any help, Kyra -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1551370410.3706.36.camel%40uvic.ca.