Yan, Could you configure IdP initiated login to redirect to appB rather than cas?
fails due to the following, Is something missing after this? Ray On Mon, 2023-11-27 at 11:36 -0800, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, I am on CAS 6.4.x. Two apps, appA, authenticated by Okta, and appB, authenticated by CAS, cas delegates authN to Okta for appB. This is working correctly: I login to appA via Okta, when I got to appB URL, SSO happens. If I go straight to appB without login to Okta first, delegated authN takes me to Okta login page, etc. That works, partly because I have setup an Application inside Okta Admin portal, for Okta to post SAML response to CAS SSO endpoint: https://..../cas/login?client_name=Okta But, this is Not working. I login to my Okta portal, I click on the SAML2 application icon in Okta portal, i.e., Idp initiated flow, I expect that I will be in appB via SSO, but I am getting "application not authorized error" on CAS. Using SAML tracer, I found the SAML payload is almost identical in both cases, but the IdP-initiated flow fails due to the following, is that because there is Not CAS delegating to Okta, since it is Okta-initiated request, so the call fails? What do I need to do to make Idp initiated flow (i.e., initiated by Okta, which CAS delegates authN to) work? Thanks! protected TransientSessionTicket retrieveSessionTicketViaClientId(final WebContext webContext, final String clientId) { try { val ticket = configContext.getCentralAuthenticationService().getTicket(clientId, TransientSessionTicket.class); LOGGER.debug("Located delegated authentication client identifier as [{}]", ticket.getId()); return ticket; } catch (final Exception e) { LOGGER.error("Delegated client identifier cannot be located in the authentication request [{}]", webContext.getFullRequestURL()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4897c340ae89a57cdc18c7538ff6d2fa19234f4f.camel%40uvic.ca.
