Yan, It still sounds like you are mixing the client with the delegated authn (okta).
If your client app is communicating with SAML, then cas should be configured as the IdP for client app. The client app will have cas IdP metadata (with cas url in it) and cas will have client app SP metadata and the service will be registered as SamlRegisteredService. Hopefully you can test this setup with the default cas user (casuser:Mellon). (You will have to modify the client app json file to turn off redirect.) Once the cas <-> client app is working correctly, then you can configure cas and okta. Cas will get okta IdP metadata and okta will get cas SP metadata (_not_ client app). (Remember to turn on redirect in client app json file.) Sorry about the oidc endpoint stuff. Cas SAML endpoints are here, https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html#saml-endpoints You will most likely use the /idp/profile/SAML2/Redirect/SSO or /idp/profile/SAML2/POST/SSO endpoints set in your client app. This post might be useful https://fawnoos.com/2022/03/25/cas66-saml-authn-refeds/ Ray On Fri, 2023-08-25 at 17:05 -0400, Yan wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi there, I made a mistake, changed dependencies without rebuilding the project. Now made progress, auto-redirect is working now, Client App goes to IDP directly (because the IDP meta data generated by CAS has Okta URL in it). But after I login through Okta, it redirects to CAS, this is where I still got problem. URL is: https://localhost:8443/cas/login?client_name=bootsp2 Error: 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] [org.pac4j.core.client.Clients] - <Found client: #SAML2Client# | name: bootsp2 | callbackUrl:https://localhost:8443/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@2a2798a2 | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@2b9ecd05 | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@31f1b268 | authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: bootsp2> 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Client identifier could not found in request parameters. Looking at relay-state for the SAML2 client> 2023-08-25 17:02:54,605 DEBUG [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated client identifier []> 2023-08-25 17:02:54,605 ERROR [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Delegated client identifier cannot be located in the authentication request [https://localhost:8443/cas/login?client_name=bootsp2]> 2023-08-25 17:02:54,607 ERROR [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <> org.apereo.cas.services.UnauthorizedServiceException: at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:285) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$doExecute$0(DelegatedClientAuthenticationAction.java:123) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at java.util.Optional.orElseGet(Optional.java:369) ~[?:?] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:123) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] On Fri, Aug 25, 2023 at 3:34 PM Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>> wrote: Yan, My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to /cas/login. In your case, cas should redirect to the remote IdP. The cas endpoints are described here, https://apereo.github.io/cas/6.6.x/authentication/OIDC-Authentication.html (though I note that the protocol differs from what my client is doing above and says cas/oidc/authorize). Your client app should know nothing about how or where the login takes place. It should only know about cas. That way you can change the upstream IdP in cas and not have to make changes to your client. Ray On Fri, 2023-08-25 at 11:49 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, This is my environment: CAS 6.6.x, SAML2 delegated authN, SpringBoot app -> CAS -> Okta (CAS delegates to Okta, CAS is a SP to Okta, Okta is IDP). one trouble I have is on client app side, it needs to specify IDP, which should be CAS, but I do not know what should be the CAS SSO endpoint below (since CAS is also a SP to Okta). I tried /cas/login, as I go to the client app, it redirects to CAS login page, I see the external identity provider on login page. However, autoRedirect is not working, that tells me something is not set up correctly. Did I have SSO endpoint correct in the following: /cas/login, /cas/logout? Yan IDP meta data file placed on sprintboot client app side ==================================== <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkas4vj25jdUfJEx5d7"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> </ds:KeyInfo> ...................................................... </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= "https://localhost:8443/cas/logout"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/cas/logout"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/cas/login"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/cas/login"/> </md:IDPSSODescriptor> </md:EntityDescriptor> cas.properties, runs on localhost:8443/cas ============= cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/cas/samlsp cas.authn.pac4j.saml[0].clientName=bootsp2 cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/casas-samlsp/sp-metadata.xml cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://............okta.com/app/.........../sso/saml/metadata<http://okta.com/app/.........../sso/saml/metadata> cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST cas.authn.pac4j.saml[0].userNameQualifier=false cas.authn.pac4j.saml[0].autoRedirect=true == client app service registry, sprint boot app runs on localhost:8081 { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "^http://localhost:8081(/.*)?", "name" : "myclientapp", "id" : 1005, "description" : "sample", "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "delegatedAuthenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", "allowedProviders" : [ "java.util.ArrayList", [ "bootsp2" ] ] } } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group. To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/97ykZfDIjpg/unsubscribe. To unsubscribe from this group and all its topics, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c398e5f77c4da0e97d32f36a3329163aff3becbe.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/c398e5f77c4da0e97d32f36a3329163aff3becbe.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b91950063c31a3bfbef944cf7e2ae75ebbe1881.camel%40uvic.ca.