Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
Yan, Is it possible that the okta-cas config is incorrect and okta is returning an error response which cas does not understand? Are you using SAML Tracer to see the exchanges between SPs and IdPs? If the keystore is not created, you can create it yourself. Or, turn off SAML encryption between SPs and IdPs. Ray On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi there, When CAS is the SAML2 IDP, I am able to run a client app authenticating successfully. But have trouble when CAS delegates authN to Okta (cas is set up as a SP in Okta) Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443, delegate to Okta SAML2 IDP. Here is my problem, i likely misunderstood how delegated authN should work, but do not know how. When go to client: localhost:8081, redirects to: http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO I would expect Okta login page comes up, but I am getting CAS error page that says: page Not found, I did not see any error in cas log. In Okta, i configured my local CAS as a SAML 2.0 application == SSO URL: https://localhost:8443/cas/login Audience URI: https://localhost:8443/cas/idp cas.properties == cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore <== i do not see keystore being created, why is this not created? cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=http://localhost:8081/saml/metadata <== same SP entity ID when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].clientName=bootsp2 cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml <== same SP meta data when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST cas.authn.pac4j.saml[0].userNameQualifier=false JSON file in service registry == { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "bootsp2", "name" : "bootsp2", "id" : 1005, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", "middle_name" ] ] } } thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d3a6fe1f993368f34660bba24350724934c9787a.camel%40uvic.ca.
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
i think i am missing something fundamentally, but I do not know what it is. I first excluded the dependency on cas-server-support-saml-idp because CAS is delegating authN to Okta, I realize the login page does not even come up, nothing shows in SAML Tracer. Then, I added this dependency, see below. implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}" Now the login page comes up, and I can see authN request coming to CAS, but I do not see how CAS delegates authN. It seems that something is missing so that CAS is -not- generating SP meta data, which it should. Not sure what I am missing. I based on cas.properties from the following documentation, but it is not working, i.e., nothing is being generated by CAS, no error, either. in delegated AutN, when client come to CAS, which then delegate to Okta, should /cas/idp/profile/SAML2/POST/SSO be called at all? # Settings required for CAS SP metadata generation process # The keystore will be automatically generated by CAS with # keys required for the metadata generation and/or exchange. # # cas.authn.pac4j.saml[0].keystorePassword= # cas.authn.pac4j.saml[0].privateKeyPassword= # cas.authn.pac4j.saml[0].keystorePath= # The entityID assigned to CAS acting as the SP # cas.authn.pac4j.saml[0].serviceProviderEntityId= # Path to the auto-generated CAS SP metadata # cas.authn.pac4j.saml[0].serviceProviderMetadataPath= # cas.authn.pac4j.saml[0].maximumAuthenticationLifetime= # Path/URL to delegated IdP metadata # cas.authn.pac4j.saml[0].identityProviderMetadataPath= On Monday, August 14, 2023 at 1:53:24 PM UTC-4 Ray Bon wrote: > Yan, > > Is it possible that the okta-cas config is incorrect and okta is returning > an error response which cas does not understand? > Are you using SAML Tracer to see the exchanges between SPs and IdPs? > If the keystore is not created, you can create it yourself. Or, turn off > SAML encryption between SPs and IdPs. > > Ray > > On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi there, > > When CAS is the SAML2 IDP, I am able to run a client app authenticating > successfully. But have trouble when CAS delegates authN to Okta (cas is > set up as a SP in Okta) > > Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443, > delegate to Okta SAML2 IDP. > > Here is my problem, i likely misunderstood how delegated authN should > work, but do not know how. > > When go to client: localhost:8081, redirects to: > http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp > > Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO > > I would expect Okta login page comes up, but I am getting CAS error page > that says: page Not found, I did not see any error in cas log. > > > > In Okta, i configured my local CAS as a SAML 2.0 application > > == > > SSO URL: https://localhost:8443/cas/login > > Audience URI: https://localhost:8443/cas/idp > > > > cas.properties > > == > > > cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore > > <== i do not see keystore being created, why is this not > created? > > cas.authn.pac4j.saml[0].keystorePassword=changeit > > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > > cas.authn.pac4j.saml[0].serviceProviderEntityId= > http://localhost:8081/saml/metadata > > <== same SP entity ID when CAS was the IDP itself, without > delegated authN > > cas.authn.pac4j.saml[0].clientName=bootsp2 > > cas.authn.pac4j.saml[0].forceAuth=false > > cas.authn.pac4j.saml[0].passive=false > > cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600 > > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml > > <== same SP meta data when CAS was the IDP itself, without > delegated authN > > cas.authn.pac4j.saml[0].identityProviderMetadataPath= > https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata > > > cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST > > cas.authn.pac4j.saml[0].userNameQualifier=false > > > > > > JSON file in service registry > > == > > { > > "@class" : "org.apereo.cas.services.CasRegisteredService", > > "serviceId" : "bootsp2", > > "name" : "bootsp2", > > "id" : 1005, > > "description" : "sample", > > "attributeReleasePolicy" : { > > "@class" : > "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", > > "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_nam
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
Yan, I was browsing the docs and cas.authn.pac4j.saml[0].serviceProviderMetadataPath cas.authn.pac4j.saml[0].serviceProviderEntityId are for cas as a service provider metadata, not the destination application. https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-SAML.html Ray On Mon, 2023-08-14 at 12:25 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. i think i am missing something fundamentally, but I do not know what it is. I first excluded the dependency on cas-server-support-saml-idp because CAS is delegating authN to Okta, I realize the login page does not even come up, nothing shows in SAML Tracer. Then, I added this dependency, see below. implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}" Now the login page comes up, and I can see authN request coming to CAS, but I do not see how CAS delegates authN. It seems that something is missing so that CAS is -not- generating SP meta data, which it should. Not sure what I am missing. I based on cas.properties from the following documentation, but it is not working, i.e., nothing is being generated by CAS, no error, either. in delegated AutN, when client come to CAS, which then delegate to Okta, should /cas/idp/profile/SAML2/POST/SSO be called at all? # Settings required for CAS SP metadata generation process # The keystore will be automatically generated by CAS with # keys required for the metadata generation and/or exchange. # # cas.authn.pac4j.saml[0].keystorePassword= # cas.authn.pac4j.saml[0].privateKeyPassword= # cas.authn.pac4j.saml[0].keystorePath= # The entityID assigned to CAS acting as the SP # cas.authn.pac4j.saml[0].serviceProviderEntityId= # Path to the auto-generated CAS SP metadata # cas.authn.pac4j.saml[0].serviceProviderMetadataPath= # cas.authn.pac4j.saml[0].maximumAuthenticationLifetime= # Path/URL to delegated IdP metadata # cas.authn.pac4j.saml[0].identityProviderMetadataPath= On Monday, August 14, 2023 at 1:53:24 PM UTC-4 Ray Bon wrote: Yan, Is it possible that the okta-cas config is incorrect and okta is returning an error response which cas does not understand? Are you using SAML Tracer to see the exchanges between SPs and IdPs? If the keystore is not created, you can create it yourself. Or, turn off SAML encryption between SPs and IdPs. Ray On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi there, When CAS is the SAML2 IDP, I am able to run a client app authenticating successfully. But have trouble when CAS delegates authN to Okta (cas is set up as a SP in Okta) Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443, delegate to Okta SAML2 IDP. Here is my problem, i likely misunderstood how delegated authN should work, but do not know how. When go to client: localhost:8081, redirects to: http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO I would expect Okta login page comes up, but I am getting CAS error page that says: page Not found, I did not see any error in cas log. In Okta, i configured my local CAS as a SAML 2.0 application == SSO URL: https://localhost:8443/cas/login Audience URI: https://localhost:8443/cas/idp cas.properties == cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore <== i do not see keystore being created, why is this not created? cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=http://localhost:8081/saml/metadata <== same SP entity ID when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].clientName=bootsp2 cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml <== same SP meta data when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST cas.authn.pac4j.saml[0].userNameQualifier=false JSON file in service registry == { "@class" : "org.apereo.cas.services.CasRegisteredS
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
Thanks Ray, making some progress, I now see the SP Meta data and keystore being generated. for delegated AuthN, here is the SAML request from my client app, it goes to CAS, the authN request seems correct. http://localhost:8081/saml/SSO"; Destination= "https://localhost:8443/cas/idp/profile/SAML2/POST/SSO"; ... > http://localhost:8081/saml/metadata But then I run into error in CAS, it is stilling loading IDP functionality and tries to find the client in service registry, this is where I do not understand how SAML delegated authN works different from CAS as IDP itself. this is my service definition as CAS documentation says. { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "bootsp2", "name" : "bootsp2", "id" : 1005, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", "middle_name" ] ] } } 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <[http://localhost:8081/saml/metadata] is not found in the registry or service access is denied.> 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] [org.apereo.cas.util.function.FunctionUtils] - org.apereo.cas.services.UnauthorizedServiceException: screen.service.error.message at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlRegisteredService(AbstractSamlIdPProfileHandlerController.java:172) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:490) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.initiateAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:315) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$handleSsoPostProfileRequest$4(AbstractSamlIdPProfileHandlerController.java:652) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$9(FunctionUtils.java:330) ~[cas-server-core-util-api-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.handleSsoPostProfileRequest(AbstractSamlIdPProfileHandlerController.java:653) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPPostProfileHandlerController.handleSaml2ProfileSsoPostRequest(SSOSamlIdPPostProfileHandlerController.java:74) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] On Monday, August 14, 2023 at 5:05:26 PM UTC-4 Ray Bon wrote: > Yan, > > I was browsing the docs and > cas.authn.pac4j.saml[0].serviceProviderMetadataPath > cas.authn.pac4j.saml[0].serviceProviderEntityId > are for cas as a service provider metadata, not the destination > application. > > https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-SAML.html > > Ray > > > On Mon, 2023-08-14 at 12:25 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > i think i am missing something fundamentally, but I do not know what it > is. > > I first excluded the dependency on cas-server-support-saml-idp because CAS > is delegating authN to Okta, I realize the login page does not even come > up, nothing shows in SAML Tracer. Then, I added this dependency, see > below. > > implementation > "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}" > > Now the login page comes up, and I can see authN request coming to CAS, > but I do not see how CAS delegates authN. It seems that something is > missing so that CAS is -not- generating SP meta data, which it should. Not > sure what I am missing. > > I based on cas.properties from the following documentation, but it is not > working, i.e., nothing is being generated by CAS, no error, either. > > in delegated AutN, when client come to CAS, which then delegate to Okta, > should /cas/idp/profile/SAML2/POST/SSO be called at all? > # Settings required for CAS SP metadata generation process # The keystore > will be automatically generated by CAS with # keys required for t
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
on my client side where it loads IDP xml, what should SSO URL be, when CAS delegates SAML authN to Okta? https://localhost:8443/cas/idp/profile/SAML2/POST/SSO"/> - this results in error on CAS, it tries to load from service registry, matching SAML Service, which is not the case in delegated authN OR https://localhost:8443/cas/login?client_name=bootsp2"/> - this matches in error on CAS, 2023-08-15 10:30:16,666 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - https://localhost:8443/cas/login?client_name=bootsp2]> 2023-08-15 10:30:16,667 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - < DefaultDelegatedClientAuthenticationWebflowManager.java:retrieveSessionTicketViaClientId:236 DefaultDelegatedClientAuthenticationWebflowManager.java:retrieve:84 DelegatedClientAuthenticationAction.java:restoreAuthenticationRequestInContext:285 > 2023-08-15 10:30:16,667 WARN [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <> org.apereo.cas.services.UnauthorizedServiceException: at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:292) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at On Tuesday, August 15, 2023 at 9:39:52 AM UTC-4 Yan Zhou wrote: > Thanks Ray, making some progress, I now see the SP Meta data and > keystore being generated. > > for delegated AuthN, here is the SAML request from my client app, it goes > to CAS, the authN request seems correct. > > AssertionConsumerServiceURL="http://localhost:8081/saml/SSO"; Destination=" > https://localhost:8443/cas/idp/profile/SAML2/POST/SSO"; > ... > "urn:oasis:names:tc:SAML:2.0:assertion"> > http://localhost:8081/saml/metadata > > > But then I run into error in CAS, it is stilling loading IDP > functionality and tries to find the client in service registry, this is > where I do not understand how SAML delegated authN works different from CAS > as IDP itself. > > this is my service definition as CAS documentation says. > { > "@class" : "org.apereo.cas.services.CasRegisteredService", > "serviceId" : "bootsp2", > "name" : "bootsp2", > "id" : 1005, > "description" : "sample", > "attributeReleasePolicy" : { > "@class" : > "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", > "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", > "middle_name" ] ] > } > } > > 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <[http://localhost:8081/saml/metadata] is not found in the registry or > service access is denied.> > 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] > [org.apereo.cas.util.function.FunctionUtils] - > > org.apereo.cas.services.UnauthorizedServiceException: > screen.service.error.message > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlRegisteredService(AbstractSamlIdPProfileHandlerController.java:172) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:490) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.initiateAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:315) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$handleSsoPostProfileRequest$4(AbstractSamlIdPProfileHandlerController.java:652) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$9(FunctionUtils.java:330) > > ~[cas-server-core-util-api-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.handleSsoPostProfileRequest(AbstractSamlIdPProfileHandlerController.java:653) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPPostProfileHandlerController.handleSaml2ProfileSsoPostRequest(SSOSamlIdPPostProfileHandlerController.java:74) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeM
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
It is finally working after debug Source code, I am so grateful with open source, here is the key. thanks Ray! on CAS side, the generated sp-metadata.xml says: https://localhost:8443/cas/login?client_name=bootsp2"/> But, on my client, where I specify IDP XML, it needs to use CAS_CLIENT_ID, as opposed to client_name,Does anyone know why? https://localhost:8443/cas/login?CAS_CLIENT_ID=bootsp2"/> https://localhost:8443/cas/login?CAS_CLIENT_ID=bootsp2"/> here is CAS client definition json. = { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "^(https?|imaps)://.*", "name" : "bootsp2", "id" : 1005, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", "middle_name" ] ] } } SSO URL, if I use: https://localhost:8443/cas/login?client_name=bootsp2, got this error (it cannot find the matching, i have to use CAS_CLIENT_ID as parameter name, then it will work.). 2023-08-15 11:25:01,951 DEBUG [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 2023-08-15 11:25:01,951 DEBUG [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 2023-08-15 11:25:01,952 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - https://localhost:8443/cas/login?client_name=bootsp2]> 2023-08-15 11:25:01,955 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <> org.apereo.cas.services.UnauthorizedServiceException: at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at DefaultDelegatedClientAuthenticationWebflowManager: it is looking for CAS_CLIENT_ID_SESSION_KEY in request parameter. === protected String getDelegatedClientId(final WebContext webContext, final Client client) { var clientId = webContext.getRequestParameter(PARAMETER_CLIENT_ID) .map(String::valueOf).orElse(StringUtils.EMPTY); if (StringUtils.isBlank(clientId)) { if (client instanceof SAML2Client) { LOGGER.debug("Client identifier could not found in request parameters. Looking at relay-state for the SAML2 client"); clientId = webContext.getRequestParameter(SamlProtocolConstants. PARAMETER_SAML_RELAY_STATE) .map(String::valueOf).orElse(StringUtils.EMPTY); } } clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, OAuth20Client.class, OAUTH20_CLIENT_ID_SESSION_KEY); clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, OidcClient.class, OIDC_CLIENT_ID_SESSION_KEY); clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, OAuth10Client.class, OAUTH10_CLIENT_ID_SESSION_KEY); clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, CasClient.class, CAS_CLIENT_ID_SESSION_KEY); LOGGER.debug("Located delegated client identifier [{}]", clientId); return clientId; } If you know whether I missed anything, I would love to know. I still do not understand why I cannot just use client_name in SSO URL parameter on client side. thanks, Yan On Tuesday, August 15, 2023 at 10:53:50 AM UTC-4 Yan Zhou wrote: > > on my client side where it loads IDP xml, what should SSO URL be, when CAS > delegates SAML authN to Okta? > > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://localhost:8443/cas/idp/profile/SAML2/POST/SSO"/> > - this results in error on CAS, it tries to load from service registry, > matching SAML Service, which is not the case in delegated authN > > OR > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://localhost:8443/cas/login?client_name=bootsp2"/> > - this matches in error on CAS, > > 2023-08-15 10:30:16,666 ERROR [https-jsse-nio-8443-exec-4] > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - request [https://localhost:8443/cas/login?client_name=bootsp2]> > 2023-08-15 10:30:16,667 ERROR [https-jsse-nio-8443-exec-4] > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - < > > DefaultDelegatedClientAuthenticationWebflowManager.java:retrieveSessionTicketViaClientId:236 > DefaultDelegatedClientAuthenticationWebflowManager.java:retrieve:84 > > DelegatedClientAuthenticationAction.java:restoreAuthenticationRequestInContext:285 > > > 2023-08-15 10:30:16,