Yan, My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to /cas/login. In your case, cas should redirect to the remote IdP. The cas endpoints are described here, https://apereo.github.io/cas/6.6.x/authentication/OIDC-Authentication.html (though I note that the protocol differs from what my client is doing above and says cas/oidc/authorize).
Your client app should know nothing about how or where the login takes place. It should only know about cas. That way you can change the upstream IdP in cas and not have to make changes to your client. Ray On Fri, 2023-08-25 at 11:49 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, This is my environment: CAS 6.6.x, SAML2 delegated authN, SpringBoot app -> CAS -> Okta (CAS delegates to Okta, CAS is a SP to Okta, Okta is IDP). one trouble I have is on client app side, it needs to specify IDP, which should be CAS, but I do not know what should be the CAS SSO endpoint below (since CAS is also a SP to Okta). I tried /cas/login, as I go to the client app, it redirects to CAS login page, I see the external identity provider on login page. However, autoRedirect is not working, that tells me something is not set up correctly. Did I have SSO endpoint correct in the following: /cas/login, /cas/logout? Yan IDP meta data file placed on sprintboot client app side ==================================== <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkas4vj25jdUfJEx5d7"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> </ds:KeyInfo> ...................................................... </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= "https://localhost:8443/cas/logout"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/cas/logout"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/cas/login"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/cas/login"/> </md:IDPSSODescriptor> </md:EntityDescriptor> cas.properties, runs on localhost:8443/cas ============= cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/cas/samlsp cas.authn.pac4j.saml[0].clientName=bootsp2 cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/casas-samlsp/sp-metadata.xml cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://............okta.com/app/.........../sso/saml/metadata cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST cas.authn.pac4j.saml[0].userNameQualifier=false cas.authn.pac4j.saml[0].autoRedirect=true == client app service registry, sprint boot app runs on localhost:8081 { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "^http://localhost:8081(/.*)?", "name" : "myclientapp", "id" : 1005, "description" : "sample", "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "delegatedAuthenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", "allowedProviders" : [ "java.util.ArrayList", [ "bootsp2" ] ] } } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c398e5f77c4da0e97d32f36a3329163aff3becbe.camel%40uvic.ca.