Re: [cas-user] CAS 5.3.16 loses service reference for SAML SP with ForcedAuth when CAS uses Delegated Auth
Upgrading to latest CAS 6.x is definitely on the road map but is probably 6 months out for us. We have an immediate need to enable ForceAuth for a new client app that needs to go live in a few weeks. This is the first client app we have had that has required ForceAuth and the login/renew flow is not working as expected. My current goal is to determine if this is some sort of bug related to DelegatedAuthClient and ForceAuth together or if this is due to some configuration changed that I need to make. If it is code and not config, then I'm fine to override the code to implement my own hotfix for it, as a short term solution, while we work towards a CAS upgrade. Thanks, Justin On Wednesday, November 22, 2023 at 12:29:43 PM UTC-5 Ray Bon wrote: > Justin, > > Upgrading very likely will solve this problem (as well as provide a great > deal more benefit). Customizing old code adds technical debt. > > Ray > > On Tue, 2023-11-21 at 11:41 -0800, Justin Isenhour wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > I'm hoping someone may have a suggestion of where I can look for the root > of this problem. > > We are running CAS 5.3.16 and have a mix of authentication handlers setup > including several LDAP auth handlers, delegated auth to AzureAD via OIDC, > and SAML delegated auth to various other IDPs. We have a SAML client that > is sending an AuthNRequest with ForceAuthn="true" that is not working as > expected when CAS uses Delegated auth. > > On the first login request, everything seems to be working fine. If you > log out of that client application, then login again, you get prompted for > authentication as expected, but instead of being redirected back to the > requested client, CAS directs to the the generic success page. > > This is only an issue when authentication is done via delegated > authentication client, saml and oidc but have the same issue. If > authentication is done directly in CAS via LDAP auth handler, then the flow > works as expected and you land back into the app every time. > > I have CAS source code and am pretty familiar with the code, we been using > CAS since 3.x, but I haven't been able to pin point the issue yet. Anyone > have any advice or suggestions? > > Thanks in advance, > Justin Isenhour > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a228091-3c54-4606-b22e-dafd7627823bn%40apereo.org.
Re: [cas-user] CAS 5.3.16 loses service reference for SAML SP with ForcedAuth when CAS uses Delegated Auth
Justin, Upgrading very likely will solve this problem (as well as provide a great deal more benefit). Customizing old code adds technical debt. Ray On Tue, 2023-11-21 at 11:41 -0800, Justin Isenhour wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, I'm hoping someone may have a suggestion of where I can look for the root of this problem. We are running CAS 5.3.16 and have a mix of authentication handlers setup including several LDAP auth handlers, delegated auth to AzureAD via OIDC, and SAML delegated auth to various other IDPs. We have a SAML client that is sending an AuthNRequest with ForceAuthn="true" that is not working as expected when CAS uses Delegated auth. On the first login request, everything seems to be working fine. If you log out of that client application, then login again, you get prompted for authentication as expected, but instead of being redirected back to the requested client, CAS directs to the the generic success page. This is only an issue when authentication is done via delegated authentication client, saml and oidc but have the same issue. If authentication is done directly in CAS via LDAP auth handler, then the flow works as expected and you land back into the app every time. I have CAS source code and am pretty familiar with the code, we been using CAS since 3.x, but I haven't been able to pin point the issue yet. Anyone have any advice or suggestions? Thanks in advance, Justin Isenhour -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/55add5b61c720af489344d2ad32d3627b844fb22.camel%40uvic.ca.
[cas-user] CAS 5.3.16 loses service reference for SAML SP with ForcedAuth when CAS uses Delegated Auth
Hello, I'm hoping someone may have a suggestion of where I can look for the root of this problem. We are running CAS 5.3.16 and have a mix of authentication handlers setup including several LDAP auth handlers, delegated auth to AzureAD via OIDC, and SAML delegated auth to various other IDPs. We have a SAML client that is sending an AuthNRequest with ForceAuthn="true" that is not working as expected when CAS uses Delegated auth. On the first login request, everything seems to be working fine. If you log out of that client application, then login again, you get prompted for authentication as expected, but instead of being redirected back to the requested client, CAS directs to the the generic success page. This is only an issue when authentication is done via delegated authentication client, saml and oidc but have the same issue. If authentication is done directly in CAS via LDAP auth handler, then the flow works as expected and you land back into the app every time. I have CAS source code and am pretty familiar with the code, we been using CAS since 3.x, but I haven't been able to pin point the issue yet. Anyone have any advice or suggestions? Thanks in advance, Justin Isenhour -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a69428a1-be12-4899-920f-55a75835d018n%40apereo.org.
