Jérôme, Thanks for confirming what I’m seeing and for the heads up that the behavior is adjusted in 5.3. I updated my troubleshooting environment to 5.3 over the weekend and everything looks good after some initial testing.
Thank you for the help and your contributions to the project, Tom From: cas-user@apereo.org <cas-user@apereo.org> On Behalf Of Jérôme LELEU Sent: Friday, January 25, 2019 2:06 AM To: cas-user@apereo.org Subject: Re: [cas-user] RE: CAS 5.2 PAC4J SAML 2.0 Delegation Behavior Hi, You're right: the TGT should be checked first. Notice that things have been fixed in 5.3, the autoRedirect property is still computed in the DelegationAuthenticationClientAction, but the redirection is applied on the HTML page. Thanks. Best regards, Jérôme Le jeu. 24 janv. 2019 à 23:25, Tom O'Neill <one...@sigcorp.com<mailto:one...@sigcorp.com>> a écrit : Hi All, I did some additional testing and thought I’d provide an update… It seems to me that when autoRedirect is set to ‘true’, the CAS TGT is ignored and the user is always sent on to authenticate at the IdP. When autoRedirect is set to ‘false’ the CAS session is recognized OR the user can click a button which will delegate authentication to the IdP. In other words, having autoRedirect set to true seems to negate the CAS TGT check. I could see an argument for delegating every time and I could be overlooking a detail but I think it would be better to have it check for a CAS session and only delegate if the user isn’t already authenticated. Thanks, Tom From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> On Behalf Of Tom O'Neill Sent: Thursday, January 24, 2019 2:41 PM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: [cas-user] CAS 5.2 PAC4J SAML 2.0 Delegation Behavior Hi All, I am troubleshooting application integration and looking for some insight. We have a CAS 5.2 instance with the PAC4J module, which is being used to delegate authentication to an IdP using SAML 2.0. Based on some testing, it seems like the CAS server is delegating authentication to the IdP any time the CAS login method is hit. We’re have the PAC4J autoRedirect property set to true – so I don’t expect or want CAS to present a login page but I also didn’t expect it to redirect to the IDP if the user has a valid TGT. cas.authn.pac4j.autoRedirect=true Can anyone confirm that this is the designed and expected behavior? Is anyone aware of a different setting or combination of settings that might adjust the behavior to what I’m looking for? Hopefully I’m missing something. Thanks!!! Tom -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB50098001DBCF6CAF1552DCE2CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB50098001DBCF6CAF1552DCE2CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB5009C0CF6348943A69A8BEC9CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB5009C0CF6348943A69A8BEC9CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwg6dFCi-Eo3oNwc5705KR_ErNdhjy324P6%2BkdLrWs3Aw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwg6dFCi-Eo3oNwc5705KR_ErNdhjy324P6%2BkdLrWs3Aw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR02MB4958C4064DE85EEA6B1793D8CB960%40SN6PR02MB4958.namprd02.prod.outlook.com.
