Hi, Yes, it feels a bit too aggressive to return an IllegalArgumentException, but I think it makes sense as there is already a check via the hasDelegationRequestFailed method to know if the authentication has failed. The check may be incomplete though...
In fact, it's the responsibility of pac4j to handle cancelled/failed authentications and in that case, it returns a null credentials (for delegated authentications), but here, the CAS server takes over. In any case, we should certainly avoid throwing an IllegalArgumentException when pac4j returns a null credentials. How do you get the AuthnFailed SAML response? Thanks. Best regards, Jérôme On Wed, Nov 21, 2018 at 6:18 PM Rich Renomeron <[email protected]> wrote: > I have a requirement to gracefully handle a failed delegated > authentication scenario (from multiple providers). A specific example of > this when a SAML IdP returns an AuthnFailed in the (SAML) response. > > Based on my memory with 5.2 and 5.1 overlays, I would expect that, if > configured correctly, I'd end up on the stopWebflow state when that > happens. But if I am reading the 5.3.5 code and my logs correctly, it > seems that the DelegatedClientAuthenticationAction is now just throwing in > IllegalArgumentException back to the web flow, which results in the generic > error page. That's not really what I want to show my users, especially > when I need to give them a way back to the login page to try a different > authN method and end up at the right service if the other attempt succeeds. > > Is there a preferred way to handle an exception like that now? I could > just mod the generic error page to have a "go back to CAS login" link (like > the stopWebflow error page does), but that's not ideal. Or I could write > some custom code to inject a ExceptionHander into the clientAction state > (which I'm not succeeding with at the moment; I can't get my > WebflowConfigurer to run after the clientAction state has been created). > Is there a reason why CAS doesn't seem to use the stopWebflow state to > handle this any more? > > Thanks, > Rich > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV9jf2bdAzXjpNA6JgxqmKfXpg49NWdFLt705nebUi4qKA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV9jf2bdAzXjpNA6JgxqmKfXpg49NWdFLt705nebUi4qKA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwTfrvbBRV5n5vhbXTV%3DZ6Pte8qo6NNiQne1dBSF94F3Q%40mail.gmail.com.
