Hi Andy, Thanks for looking my problem. I'm not sure the problem is the OIDC authentication protocol.
Here are my tomcat logs (I anonymise my logs): The IDP OIDC is the CAS 5.3.7 OIDC and the IDP SAML2 is the IDP where I delegate the authentication *LOG tomcat about the authentication OIDC without delegation SAML2* [07/Feb/2019:09:02:44 +0100] ip GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&sco pe=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service=&state=af0ifjsldkj&acr_values=test 302 5 451 [07/Feb/2019:09:02:48 +0100] ip GET /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode HTTP/1.1 ?service=https %3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode 200 12090 2211 [07/Feb/2019:09:17:51 +0100] ip POST /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient HTTP/1.1 ?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient 302 - 427 [07/Feb/2019:09:17:53 +0100] ip GET /p3/serviceValidate?ticket=ST-1-xxxxxxxxxxidp-oidc.fr&service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient HTTP/1.1 ?ticket=ST-1-xxxxxxxxxxidp-oidc.fr&service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient 200 960 117 [07/Feb/2019:09:17:53 +0100] ip GET /oauth2.0/callbackAuthorize?client_id=clientId&redirect_uri=service&acr_values=test&response_type=code&client_name=CasOAuthClient&ticket=ST-1-xxxxxxxxxxxAidp-oidc.fr HTTP/1.1 ?client_id=clientId&redirect_uri=service&acr_values=test&response_type=code&client_name=CasOAuthClient&ticket=ST-1-xxxxxxxxxxxxxxAidp-oidc.fr 302 - 345 [07/Feb/2019:09:17:54 +0100] 10.35.103.12 GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&scope=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service&scope=&state=af0ifjsldkj&acr_values=test 200 2563 75 *LOG tomcat about the authentication OIDC with delegation SAML2* [07/Feb/2019:09:25:17 +0100] ip GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&sco pe=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service=&state=af0ifjsldkj&acr_values=test 302 5 11 [07/Feb/2019:09:25:18 +0100] ip GET /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode HTTP/1.1 ?service=https %3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode 200 8909 138 [07/Feb/2019:09:30:38 +0100] ip GET /clientredirect?client_name=IDP-SAML2&service=service HTTP/1.1 ?client_name=SAML2&service=service 302 - 393 [07/Feb/2019:09:32:27 +0100] ip POST /login?client_name=IDP-SAML HTTP/1.1 ?client_name=clientId 302 - 247 [07/Feb/2019:09:32:28 +0100] 10.35.103.12 GET service?ticket=ST-2-xxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1 ?ticket=ST-2-xxxxxxxxxxxxxxxxxxxxxxidp-oidc 404 2343 128 I see that during the OIDC authentication without delegation SAML2 the p3/serviceValidate is called but not with the delegation SAML2. I think the problem occured when the IDP-SAML2 send the response to the IDP-OIDC. Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit : > > Hy all, > > I apologize for my French English. > > I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML > delegation. > My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it > is possible to delegate the authentication to an IDP SAML2. > I have no problem with the delegation in CAS 5.2.x > > When I use the OIDC authentication without delegation, the workflow is > correct. > Workflow: > 1 The user enter its password and login in the authentication page > 2 The user is redirect to a consent page > 3 When click on the button "allow", an authorization code is returned > > But when I use the SAML2 delegation, I am not redirect to the consent page: > 1 The user click on the button which redirect to the correct IDP > 2 The user logged on the IDP SAML > 3 After the user is returned to my CAS 5.3.7 and arrived on the page > service?ticket=ST-x > <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxxxxxxxxxxxxxxxxxxxxxxxxxx > > and I have a code 302 > > > I found this issue in the github which seems to correspond to my problem > https://github.com/apereo/cas/pull/3664. > It describe the same issue in CAS 5.3.x in the SAML2 protocol before the > bug was fixed. It didn't concern the delegation. > Could it be this problem is related to my issue? > > Thanks for any help. > > Kyra > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/482d38c3-121b-449e-aa31-5c38ab2944fd%40apereo.org.
