Yan, Is it possible that the okta-cas config is incorrect and okta is returning an error response which cas does not understand? Are you using SAML Tracer to see the exchanges between SPs and IdPs? If the keystore is not created, you can create it yourself. Or, turn off SAML encryption between SPs and IdPs.
Ray On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi there, When CAS is the SAML2 IDP, I am able to run a client app authenticating successfully. But have trouble when CAS delegates authN to Okta (cas is set up as a SP in Okta) Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443, delegate to Okta SAML2 IDP. Here is my problem, i likely misunderstood how delegated authN should work, but do not know how. When go to client: localhost:8081, redirects to: http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO I would expect Okta login page comes up, but I am getting CAS error page that says: page Not found, I did not see any error in cas log. In Okta, i configured my local CAS as a SAML 2.0 application ================================================== SSO URL: https://localhost:8443/cas/login Audience URI: https://localhost:8443/cas/idp cas.properties ============== cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore <== i do not see keystore being created, why is this not created? cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=http://localhost:8081/saml/metadata <== same SP entity ID when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].clientName=bootsp2 cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml <== same SP meta data when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST cas.authn.pac4j.saml[0].userNameQualifier=false JSON file in service registry ====================== { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "bootsp2", "name" : "bootsp2", "id" : 1005, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", "middle_name" ] ] } } thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d3a6fe1f993368f34660bba24350724934c9787a.camel%40uvic.ca.