Hi Andy, Thanks for looking my problem. I'm not sure the problem is the OIDC authentication protocol.
Here are my tomcat logs (I anonymise my logs): The IDP OIDC is the CAS 5.3.7 OIDC and the IDP SAML2 is the IDP where I delegate the authentication *LOG tomcat about the authentication OIDC without delegation SAML2* [07/Feb/2019:09:02:44 +0100] ip GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&sco pe=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service=&state=af0ifjsldkj&acr_values=test 302 5 451 [07/Feb/2019:09:02:48 +0100] ip GET /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode HTTP/1.1 ?service=https %3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode 200 12090 2211 [07/Feb/2019:09:17:51 +0100] ip POST /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient HTTP/1.1 ?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient 302 - 427 [07/Feb/2019:09:17:53 +0100] ip GET /p3/serviceValidate?ticket=ST-1-xxxxxxxxxxidp-oidc.fr&service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient HTTP/1.1 ?ticket=ST-1-xxxxxxxxxxidp-oidc.fr&service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient 200 960 117 [07/Feb/2019:09:17:53 +0100] ip GET /oauth2.0/callbackAuthorize?client_id=clientId&redirect_uri=service&acr_values=test&response_type=code&client_name=CasOAuthClient&ticket=ST-1-xxxxxxxxxxxAidp-oidc.fr HTTP/1.1 ?client_id=clientId&redirect_uri=service&acr_values=test&response_type=code&client_name=CasOAuthClient&ticket=ST-1-xxxxxxxxxxxxxxAidp-oidc.fr 302 - 345 [07/Feb/2019:09:17:54 +0100] 10.35.103.12 GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&scope=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service&scope=&state=af0ifjsldkj&acr_values=test 200 2563 75 *LOG tomcat about the authentication OIDC with delegation SAML2* [07/Feb/2019:09:25:17 +0100] ip GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&sco pe=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service=&state=af0ifjsldkj&acr_values=test 302 5 11 [07/Feb/2019:09:25:18 +0100] ip GET /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode HTTP/1.1 ?service=https %3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode 200 8909 138 [07/Feb/2019:09:30:38 +0100] ip GET /clientredirect?client_name=IDP-SAML2&service=service HTTP/1.1 ?client_name=SAML2&service=service 302 - 393 [07/Feb/2019:09:32:27 +0100] ip POST /login?client_name=IDP-SAML HTTP/1.1 ?client_name=clientId 302 - 247 [07/Feb/2019:09:32:28 +0100] 10.35.103.12 GET service?ticket=ST-2-xxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1 ?ticket=ST-2-xxxxxxxxxxxxxxxxxxxxxxidp-oidc 404 2343 128 I see that during the OIDC authentication without delegation SAML2 the p3/serviceValidate is called but not with the delegation SAML2. I think the problem occured when the IDP-SAML2 send the response to the IDP-OIDC. Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit : > > Hy all, > > I apologize for my French English. > > I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML > delegation. > My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it > is possible to delegate the authentication to an IDP SAML2. > I have no problem with the delegation in CAS 5.2.x > > When I use the OIDC authentication without delegation, the workflow is > correct. > Workflow: > 1 The user enter its password and login in the authentication page > 2 The user is redirect to a consent page > 3 When click on the button "allow", an authorization code is returned > > But when I use the SAML2 delegation, I am not redirect to the consent page: > 1 The user click on the button which redirect to the correct IDP > 2 The user logged on the IDP SAML > 3 After the user is returned to my CAS 5.3.7 and arrived on the page > service?ticket=ST-x > <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxxxxxxxxxxxxxxxxxxxxxxxxxx > > and I have a code 302 > > > I found this issue in the github which seems to correspond to my problem > https://github.com/apereo/cas/pull/3664. > It describe the same issue in CAS 5.3.x in the SAML2 protocol before the > bug was fixed. It didn't concern the delegation. > Could it be this problem is related to my issue? > > Thanks for any help. > > Kyra > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/482d38c3-121b-449e-aa31-5c38ab2944fd%40apereo.org.
