Hi Andy, Here are my cas.log about OIDC + delegation SAML2:
2019-02-08 09:36:20,832 DEBUG [org.apereo.cas.oidc.web.OidcCasClientRedirectActionBuilder] - <Final redirect action is [#RedirectAction# | type: REDIRECT | location: oidc.fr/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Dservice.clientId%26redirect_uri%3Dservice.redirect_uri%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient | content: null |]> 2019-02-08 09:36:21,167 INFO [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/] > 2019-02-08 09:36:21,167 INFO [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/] > 2019-02-08 09:36:21,263 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Client Access Granted,client=IDP-SAML2,registeredService=service.clientId:^service.redirect_uri] ACTION: DELEGATED_CLIENT_SUCCESS APPLICATION: CAS WHEN: Fri Feb 08 09:36:21 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 09:36:21,263 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Client Access Granted,client=IDP-SAML2,registeredService=serviceName:^service.redirect_uri] ACTION: DELEGATED_CLIENT_SUCCESS APPLICATION: CAS WHEN: Fri Feb 08 09:36:21 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 09:36:21,292 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [event=success,timestamp=Fri Feb 08 09:36:21 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 09:36:21 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 09:36:21,292 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [event=success,timestamp=Fri Feb 08 09:36:21 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 09:36:21 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= 2019-02-08 09:46:13,526 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Storing delegated authentication request ticket [TST-********************] for service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] with properties [{theme=, locale=, method=, service=AbstractWebApplicationService(id=service.redirect_uri, originalUrl=redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})}]> 2019-02-08 09:46:13,955 DEBUG [org.apereo.cas.web.DelegatedClientNavigationController] - <Redirecting client [IDP-SAML2] to [ https://idp-SAML2/cas/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVJL****************&RelayState=TST-****************&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=JfBh************.....] based on identifier [TST-*************************************]> 2019-02-08 09:46:13,966 DEBUG [org.apereo.cas.web.pac4j.SessionStoreCookieGenerator] - <Added cookie with name [PAC4JDELSESSION] and value [eyJ****Zw==.Elyf************]> 2019-02-08 09:53:06,842 DEBUG [org.apereo.cas.web.pac4j.SessionStoreCookieGenerator] - <Removed cookie with name [PAC4JDELSESSION]> 2019-02-08 09:53:06,842 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client> I have an error at this moment because apereo set parameter to the samlRelayState and I think pac4J looked for RelayState so I modified the name but it is possible that is the opposite 2019-02-08 09:53:06,842 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier for this request as [null]> 2019-02-08 09:53:06,843 ERROR [org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client identifier cannot be located in the authentication request [oidc.fr/login?client_name=IDP-SAML2]> After I had an exception 2019-02-08 09:53:06,846 ERROR [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <> org.apereo.cas.services.UnauthorizedServiceException: at org.apereo.cas.web.DelegatedClientWebflowManager.retrieveSessionTicketViaClientId(DelegatedClientWebflowManager.java:180) ~[classes/:5.3.7] at org.apereo.cas.web.DelegatedClientWebflowManager.retrieve(DelegatedClientWebflowManager.java:153) ~[classes/:5.3.7] When I change RelayState to samlRelayState 2019-02-08 10:16:45,303 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client> 2019-02-08 10:16:45,303 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier for this request as [null]> 2019-02-08 10:16:45,305 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier as [TST-**************************]> 2019-02-08 10:16:45,305 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Restoring requested service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] back in the authentication flow > 2019-02-08 10:16:45,305 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Removing delegated client identifier [TST-***************************} from registry> 2019-02-08 10:16:45,306 DEBUG [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Delegated authentication client is [#SAML2Client# | name: IDP-ENT-test-dev3 | callbackUrl: https://idp-oidc .fr/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@1a8335ef | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48630fdc | ajax RequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@625a354d | redirectActionBuilder: org.pac4j.saml.redirect.SAML2RedirectActionBuilder@197fae8c | credentialsExtractor: org.pac4j.saml.cred entials.extractor.SAML2CredentialsExtractor@1ad0dc01 | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@4a1d2d68 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfi leCreator@36aab35d | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@795e993b | authorizationGenerators: [] |] with service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})} > 2019-02-08 10:16:45,307 DEBUG [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Located registered service definition [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegiste redService(serviceId=^service.redirect_uri, name=service.clientId, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=***, descript ion=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPo licy@1, evaluationOrder=0, usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=IDO), logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at], scopeName=profile)]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo], failureMode=NONE, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=secret, clientId=androidGarClient, bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[profile])] matching [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,307 DEBUG [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Located registered service definition [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri, name=service.clientId, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=*****, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=0, usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=*****), logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at], scopeName=profile)]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo], failureMode=NONE, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=service.secret, clientId=service.clientId, bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[profile])] matching [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,307 WARN [org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy] - <Registered service [service.clientName] does not define any authorized/supported delegated authentication providers. It is STRONGLY recommended that you authorize and assign providers to the service definition. While just a warning for now, this behavior will be enforced by CAS in future versions.> 2019-02-08 10:16:45,307 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Client Access Granted,client=IDPSAML2,registeredService=service.clientName:^service.redirect_uri] ACTION: DELEGATED_CLIENT_SUCCESS APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 10:16:45,307 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Client Access Granted,client=IDP-SAML2,registeredService=service.clientName:^service.redirect_uri] ACTION: DELEGATED_CLIENT_SUCCESS APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= 2019-02-08 10:16:45,308 DEBUG [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Delegated authentication policy for [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri, name=service.clientName, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1003, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=0, usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=*******), logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at], scopeName=profile)]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo], failureMode=NONE, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=service.secret, clientId=service.clientId, bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[profile])] allows for using client [#SAML2Client# | name: IDP-SAML2 | callbackUrl: https://idp-oidc.fr/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@1a8335ef | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48630fdc | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@625a354d | redirectActionBuilder: org.pac4j.saml.redirect.SAML2RedirectActionBuilder@197fae8c | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@1ad0dc01 | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@4a1d2d68 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@36aab35d | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@795e993b | authorizationGenerators: [] |]> 2019-02-08 10:16:45,488 DEBUG [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Retrieved credentials from client as [SAML2Credentials{nameId=SAMLNameID{format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient', nameQualifier='null', spNameQualifier='null', spProviderId='null', value='userLogged(pseudo)'}, sessionIndex='null', attributes=[SAMLAttribute{friendlyName='samlAuthenticationStatementAuthMethod', name='samlAuthenticationStatementAuthMethod', nameFormat='null', attributeValues=[urn:oasis:names:tc:SAML:1.0:am:password]}, SAMLAttribute{friendlyName='isFromNewLogin', name='isFromNewLogin', nameFormat='null', attributeValues=[false]}, SAMLAttribute{friendlyName='authenticationDate', name='authenticationDate', nameFormat='null', attributeValues=[2019-02-08T10:16:44.509+01:00[Europe/Paris]]}, SAMLAttribute{friendlyName='authenticationMethod', name='authenticationMethod', nameFormat='null', attributeValues=[FileAuthenticationHandler]}, SAMLAttribute{friendlyName='successfulAuthenticationHandlers', name='successfulAuthenticationHandlers', nameFormat='null', attributeValues=[FileAuthenticationHandler]}, SAMLAttribute{friendlyName='longTermAuthenticationRequestTokenUsed', name='longTermAuthenticationRequestTokenUsed', nameFormat='null', attributeValues=[false]}], conditions=SAMLConditions{notBefore=2019-02-08T09:16:44.605Z, notOnOrAfter=2019-02-08T09:16:44.605Z}, issuerId='https://idp-SAML2', authnContexts=[urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified]}]> 2019-02-08 10:16:45,490 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [ServiceTicketRequestWebflowEventResolver]> 2019-02-08 10:16:45,491 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located ticket-granting ticket [null] from the request context> 2019-02-08 10:16:45,491 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] from the request context> 2019-02-08 10:16:45,491 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Provided value for [renew] request parameter is [null]> 2019-02-08 10:16:45,491 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Request is not eligible to be issued service tickets just yet> 2019-02-08 10:16:45,492 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [InitialAuthenticationAttemptWebflowEventResolver]> 2019-02-08 10:16:45,524 DEBUG [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <Located client credentials as [ClientCredential(typedIdUsed=false, userProfile=#SAML2Profile# | id: userPseudo | attributes: {samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[false], authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]], authenticationMethod=[FileAuthenticationHandler], successfulAuthenticationHandlers=[FileAuthenticationHandler], notOnOrAfter=2019-02-08T09:16:44.605Z, longTermAuthenticationRequestTokenUsed=[false], notBefore=2019-02-08T09:16:44.605Z} | roles: [] | permissions: [] | isRemembered: false | clientName: IDP-SAML2 | linkedId: null |, credentials=SAML2Credentials{nameId=SAMLNameID{format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient', nameQualifier='null', spNameQualifier='null', spProviderId='null', value='userPseudo'}, sessionIndex='null', attributes=[SAMLAttribute{friendlyName='samlAuthenticationStatementAuthMethod', name='samlAuthenticationStatementAuthMethod', nameFormat='null', attributeValues=[urn:oasis:names:tc:SAML:1.0:am:password]}, SAMLAttribute{friendlyName='isFromNewLogin', name='isFromNewLogin', nameFormat='null', attributeValues=[false]}, SAMLAttribute{friendlyName='authenticationDate', name='authenticationDate', nameFormat='null', attributeValues=[2019-02-08T10:16:44.509+01:00[Europe/Paris]]}, SAMLAttribute{friendlyName='authenticationMethod', name='authenticationMethod', nameFormat='null', attributeValues=[FileAuthenticationHandler]}, SAMLAttribute{friendlyName='successfulAuthenticationHandlers', name='successfulAuthenticationHandlers', nameFormat='null', attributeValues=[FileAuthenticationHandler]}, SAMLAttribute{friendlyName='longTermAuthenticationRequestTokenUsed', name='longTermAuthenticationRequestTokenUsed', nameFormat='null', attributeValues=[false]}], conditions=SAMLConditions{notBefore=2019-02-08T09:16:44.605Z, notOnOrAfter=2019-02-08T09:16:44.605Z}, issuerId='https://IDP-SAML2/cas/idp', authnContexts=[urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified]}, clientName=IDP-SAML2.clientName)]> 2019-02-08 10:16:45,524 DEBUG [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <Client name: [IDP-SAML2.clientName]> 2019-02-08 10:16:45,525 DEBUG [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <Delegated client is: [#SAML2Client# | name: IDP-SAML2.clientName | callbackUrl: https://idp-oidc.fr/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@1a8335ef | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48630fdc | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@625a354d | redirectActionBuilder: org.pac4j.saml.redirect.SAML2RedirectActionBuilder@197fae8c | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@1ad0dc01 | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@4a1d2d68 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@36aab35d | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@795e993b | authorizationGenerators: [] |]> 2019-02-08 10:16:45,525 DEBUG [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <Final user profile is: [#SAML2Profile# | id: userPseudo | attributes: {samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[false], authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]], authenticationMethod=[FileAuthenticationHandler], successfulAuthenticationHandlers=[FileAuthenticationHandler], notOnOrAfter=2019-02-08T09:16:44.605Z, longTermAuthenticationRequestTokenUsed=[false], notBefore=2019-02-08T09:16:44.605Z} | roles: [] | permissions: [] | isRemembered: false | clientName: IDP-SAML2.clientName | linkedId: null |]> 2019-02-08 10:16:45,546 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: Supplied credentials: [ClientCredential(typedIdUsed=false, userProfile=#SAML2Profile# | id: userPseudo | attributes: {samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[false], authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]], authenticationMethod=[FileAuthenticationHandler], successfulAuthenticationHandlers=[FileAuthenticationHandler], notOnOrAfter=2019-02-08T09:16:44.605Z, longTermAuthenticationRequestTokenUsed=[false], notBefore=2019-02-08T09:16:44.605Z} | roles: [] | permissions: [] | isRemembered: false | clientName: service.clientName | linkedId: null |, credentials=SAML2Credentials{nameId=SAMLNameID{format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient', nameQualifier='null', spNameQualifier='null', spProviderId='null', value='userPseudo'}, sessionIndex='null', attributes=[SAMLAttribute{friendlyName='samlAuthenticationStatementAuthMethod', name='samlAuthenticationStatementAuthMethod', nameFormat='null', attributeValues=[urn:oasis:names:tc:SAML:1.0:am:password]}, SAMLAttribute{friendlyName='isFromNewLogin', name='isFromNewLogin', nameFormat='null', attributeValues=[false]}, SAMLAttribute{friendlyName='authenticationDate', name='authenticationDate', nameFormat='null', attributeValues=[2019-02-08T10:16:44.509+01:00[Europe/Paris]]}, SAMLAttribute{friendlyName='authenticationMethod', name='authenticationMethod', nameFormat='null', attributeValues=[FileAuthenticationHandler]}, SAMLAttribute{friendlyName='successfulAuthenticationHandlers', name='successfulAuthenticationHandlers', nameFormat='null', attributeValues=[FileAuthenticationHandler]}, SAMLAttribute{friendlyName='longTermAuthenticationRequestTokenUsed', name='longTermAuthenticationRequestTokenUsed', nameFormat='null', attributeValues=[false]}], conditions=SAMLConditions{notBefore=2019-02-08T09:16:44.605Z, notOnOrAfter=2019-02-08T09:16:44.605Z}, issuerId='https://IDP-SAML2/cas/idp', authnContexts=[urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified]}, clientName=IDP-SAML2.clientName)] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 10:16:45,550 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Locating service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] in service registry to determine authentication policy> 2019-02-08 10:16:45,550 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Locating authentication event in the request context...> 2019-02-08 10:16:45,550 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Enforcing access strategy policies for registered service [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri, name=service.clientName, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1003, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=0, usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=*****), logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at], scopeName=profile)]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo], failureMode=NONE, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=service.secret, clientId=service.clientId, bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[profile])] and principal [SimplePrincipal(id=userPseudo, attributes={samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[false], authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]], authenticationMethod=[FileAuthenticationHandler], successfulAuthenticationHandlers=[FileAuthenticationHandler], notOnOrAfter=2019-02-08T09:16:44.605Z, longTermAuthenticationRequestTokenUsed=[false], notBefore=2019-02-08T09:16:44.605Z})]> 2019-02-08 10:16:45,557 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: [result=Service Access Granted,service=service.redirect_uri,principal=SimplePrincipal(id=userPseudo, attributes={samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[false], authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]], authenticationMethod=[FileAuthenticationHandler], successfulAuthenticationHandlers=[FileAuthenticationHandler], notOnOrAfter=2019-02-08T09:16:44.605Z, longTermAuthenticationRequestTokenUsed=[false], notBefore=2019-02-08T09:16:44.605Z}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 10:16:45,558 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Attempting to resolve candidate authentication events for service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,566 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Resolving candidate authentication event for service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] using [AdaptiveMultifactorAuthenticationPolicyEventResolver]> 2019-02-08 10:16:45,568 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [AdaptiveMultifactorAuthenticationPolicyEventResolver]> 2019-02-08 10:16:45,568 DEBUG [org.apereo.cas.web.flow.resolver.impl.mfa.adaptive.AdaptiveMultifactorAuthenticationPolicyEventResolver] - <Adaptive authentication is not configured to require multifactor authentication> 2019-02-08 10:16:45,592 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Resolving candidate authentication event for service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] using [RequestParameterMultifactorAuthenticationPolicyEventResolver]> 2019-02-08 10:16:45,594 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [RequestParameterMultifactorAuthenticationPolicyEventResolver]> 2019-02-08 10:16:45,595 DEBUG [org.apereo.cas.web.flow.resolver.impl.mfa.request.RequestParameterMultifactorAuthenticationPolicyEventResolver] - <No value could be found for request parameter [authn_method]> 2019-02-08 10:16:45,601 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Resolving candidate authentication event for service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] using [RequestHeaderMultifactorAuthenticationPolicyEventResolver]> 2019-02-08 10:16:45,602 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [RequestHeaderMultifactorAuthenticationPolicyEventResolver]> 2019-02-08 10:16:45,685 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [OidcAuthenticationContextWebflowEventResolver]> 2019-02-08 10:16:45,685 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [OidcAuthenticationContextWebflowEventResolver]> 2019-02-08 10:16:45,686 DEBUG [org.apereo.cas.oidc.web.flow.OidcAuthenticationContextWebflowEventResolver] - <No ACR provided in the authentication request> 2019-02-08 10:16:45,686 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No candidate authentication events were resolved for service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,686 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No candidate authentication events were resolved for service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,686 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] for this context> 2019-02-08 10:16:45,686 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] for this context> 2019-02-08 10:16:45,687 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication transactions and issuing ticket-granting ticket> 2019-02-08 10:16:45,687 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication transactions and issuing ticket-granting ticket> 2019-02-08 10:16:45,695 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication event...> 2019-02-08 10:16:45,695 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication event...> 2019-02-08 10:16:45,696 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Creating ticket-granting ticket, potentially based on [null]> 2019-02-08 10:16:45,696 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Creating ticket-granting ticket, potentially based on [null]> 2019-02-08 10:16:45,696 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Attempting to issue a new ticket-granting ticket...> 2019-02-08 10:16:45,696 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Attempting to issue a new ticket-granting ticket...> 2019-02-08 10:16:45,705 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: [result=Service Access Granted,service=service.redirect_uri,principal=SimplePrincipal(id=userPseudo, attributes={samlAuthenticationStatementAuthMethod=[urn: oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[false], authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]], authenticationMethod=[FileAuthenticationHandler], successfulAuthenticationHandle rs=[FileAuthenticationHandler], notOnOrAfter=[2019-02-08T09:16:44.605Z], longTermAuthenticationRequestTokenUsed=[false], notBefore=[2019-02-08T09:16:44.605Z]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 10:16:45,731 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: TGT-1-*******************************************************************************************st-oidc.fr ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 10:16:45,731 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: TGT-1-*******************************************************************************************st-oidc.fr ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= 2019-02-08 10:16:45,732 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Calculating authentication warning messages...> 2019-02-08 10:16:45,733 DEBUG [org.apereo.cas.web.flow.DefaultSingleSignOnParticipationStrategy] - <Located [^service.redirect_uri] in registry. Service access to participate in SSO is set to [true]> 2019-02-08 10:16:45,734 DEBUG [org.apereo.cas.web.flow.login.SendTicketGrantingTicketAction] - <Setting ticket-granting cookie for current session linked to [TGT-1-*******************************************************************************************st-oidc.fr].> 2019-02-08 10:16:45,737 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Service asking for service ticket is [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,737 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Ticket-granting ticket found in the context is [TGT-1-*******************************************************************************************st-oidc.fr]> 2019-02-08 10:16:45,745 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Registered service asking for service ticket is [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri, name=service.clientName, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=****, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=0, usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=****), logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at], scopeName=profile)]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo], failureMode=NONE, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=service.clientSecret, clientId=service.clientId, bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[profile])]> 2019-02-08 10:16:45,746 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Built the final authentication result [DefaultAuthenticationResult(credentialProvided=true, authentication=org.apereo.cas.authentication.DefaultAuthentication@8e4e9ee1, service=AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={}))] to grant service ticket to [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,750 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: [result=Service Access Granted,service=service.redirect_uri,requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: idp SERVER IP ADDRESS: idp ============================================================= > 2019-02-08 10:16:45,775 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: ST-1-****idp-oidc.fr for service.redirect_uri ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Fri Feb 08 10:16:45 CET 2019 CLIENT IP ADDRESS: idp SERVER IP ADDRESS: idp ============================================================= > 2019-02-08 10:16:45,780 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Granted service ticket [ST-1-****idp-oidc.fr] and added it to the request scope> 2019-02-08 10:16:45,781 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})] from the context> 2019-02-08 10:16:45,781 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located authentication [org.apereo.cas.authentication.DefaultAuthentication@5ecac821] from the context> 2019-02-08 10:16:45,782 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service response builder [org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder@f5c1f973] for [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,787 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Built response [org.apereo.cas.authentication.principal.DefaultResponse@19db421] for [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 10:16:45,787 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Signaling flow to redirect to service [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})] via event [redirect]> I don't know when the error occured. I will publish the logs about OIDC authentication later Thanks for your help, Kyra Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit : > > Hy all, > > I apologize for my French English. > > I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML > delegation. > My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it > is possible to delegate the authentication to an IDP SAML2. > I have no problem with the delegation in CAS 5.2.x > > When I use the OIDC authentication without delegation, the workflow is > correct. > Workflow: > 1 The user enter its password and login in the authentication page > 2 The user is redirect to a consent page > 3 When click on the button "allow", an authorization code is returned > > But when I use the SAML2 delegation, I am not redirect to the consent page: > 1 The user click on the button which redirect to the correct IDP > 2 The user logged on the IDP SAML > 3 After the user is returned to my CAS 5.3.7 and arrived on the page > service?ticket=ST-x > <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxxxxxxxxxxxxxxxxxxxxxxxxxx > > and I have a code 302 > > > I found this issue in the github which seems to correspond to my problem > https://github.com/apereo/cas/pull/3664. > It describe the same issue in CAS 5.3.x in the SAML2 protocol before the > bug was fixed. It didn't concern the delegation. > Could it be this problem is related to my issue? > > Thanks for any help. > > Kyra > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d40d599d-c2c7-40c6-8ade-69d1e0d9c60e%40apereo.org.