Yan, There are two independent steps; bootstp2 -> cas (SP -> IdP), and cas -> okta (SP -> IdP). See https://apereo.github.io/cas/6.6.x/protocol/Protocol-Overview.html#the-bridge for explanation.
Delegation can be per service or global. I have not used delegation so am unsure why the cas login page is showing; unless it is giving user a chance to select the IdP. For the IdP XML for bootstp2, you can paste the url in your browser and see if the metadata is correct (for cas as IdP). Ray On Wed, 2023-08-16 at 08:26 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. HI there, I am a bit confused with a couple configuration. Say, client app (bootsp2) wants to authN against CAS 6.6.x via SAML2, which delegates to Okta IDP using SAML2. CAS starts up fine, generates meta data for SP as well. 1. my CAS login page, under External Provider, shows "bootsp2", not "Okta". this does not sound right. is that because of this line in cas.properties? i see no where else to indicate the name of the external provider. cas.authn.pac4j.saml[0].clientName=bootsp2 2. on my client app (bootstp2), it needs the IDP XML, which one should I use? https://cinwl912vj2j.us.qdx.com:8443/cas/sp/metadata, OR, https://cinwl912vj2j.us.qdx.com:8443/cas/sp/idp/metadata it feels like I need to take sp/metadata and place it as IDP on client side, since the flow is for client -> CAS -> Okta? thanks, yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6de0f03fe27cf1c42aec91836826b6fa3a0c3a45.camel%40uvic.ca.