Hi Andy,
Here are my cas.log about OIDC + delegation SAML2:
2019-02-08 09:36:20,832 DEBUG
[org.apereo.cas.oidc.web.OidcCasClientRedirectActionBuilder] - <Final
redirect action is [#RedirectAction# | type: REDIRECT | location:
oidc.fr/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Dservice.clientId%26redirect_uri%3Dservice.redirect_uri%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
| content: null |]>
2019-02-08 09:36:21,167 INFO
[org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for
cookies for warn cookie generator to: [/] >
2019-02-08 09:36:21,167 INFO
[org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for
cookies for warn cookie generator to: [/] >
2019-02-08 09:36:21,263 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Client Access
Granted,client=IDP-SAML2,registeredService=service.clientId:^service.redirect_uri]
ACTION: DELEGATED_CLIENT_SUCCESS
APPLICATION: CAS
WHEN: Fri Feb 08 09:36:21 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 09:36:21,263 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Client Access
Granted,client=IDP-SAML2,registeredService=serviceName:^service.redirect_uri]
ACTION: DELEGATED_CLIENT_SUCCESS
APPLICATION: CAS
WHEN: Fri Feb 08 09:36:21 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 09:36:21,292 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Feb 08 09:36:21 CET
2019,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Feb 08 09:36:21 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 09:36:21,292 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Feb 08 09:36:21 CET
2019,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Feb 08 09:36:21 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
2019-02-08 09:46:13,526 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Storing delegated
authentication request ticket [TST-********************] for service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=redirect_uri, artifactId=null, principal=null, source=service,
loggedOutAlready=false, format=XML, attributes={})] with properties
[{theme=, locale=, method=,
service=AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=redirect_uri, artifactId=null, principal=null, source=service,
loggedOutAlready=false, format=XML, attributes={})}]>
2019-02-08 09:46:13,955 DEBUG
[org.apereo.cas.web.DelegatedClientNavigationController] - <Redirecting
client [IDP-SAML2] to [
https://idp-SAML2/cas/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVJL****************&RelayState=TST-****************&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=JfBh************.....]
based on identifier [TST-*************************************]>
2019-02-08 09:46:13,966 DEBUG
[org.apereo.cas.web.pac4j.SessionStoreCookieGenerator] - <Added cookie with
name [PAC4JDELSESSION] and value [eyJ****Zw==.Elyf************]>
2019-02-08 09:53:06,842 DEBUG
[org.apereo.cas.web.pac4j.SessionStoreCookieGenerator] - <Removed cookie
with name [PAC4JDELSESSION]>
2019-02-08 09:53:06,842 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier
could not found as part of the request parameters. Looking at relay-state
for the SAML2 client>
I have an error at this moment because apereo set parameter to the
samlRelayState and I think pac4J looked for RelayState so I modified the
name but it is possible that is the opposite
2019-02-08 09:53:06,842 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated
client identifier for this request as [null]>
2019-02-08 09:53:06,843 ERROR
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client
identifier cannot be located in the authentication request
[oidc.fr/login?client_name=IDP-SAML2]>
After I had an exception
2019-02-08 09:53:06,846 ERROR
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
at
org.apereo.cas.web.DelegatedClientWebflowManager.retrieveSessionTicketViaClientId(DelegatedClientWebflowManager.java:180)
~[classes/:5.3.7]
at
org.apereo.cas.web.DelegatedClientWebflowManager.retrieve(DelegatedClientWebflowManager.java:153)
~[classes/:5.3.7]
When I change RelayState to samlRelayState
2019-02-08 10:16:45,303 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier
could not found as part of the request parameters. Looking at relay-state
for the SAML2 client>
2019-02-08 10:16:45,303 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated
client identifier for this request as [null]>
2019-02-08 10:16:45,305 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated
client identifier as [TST-**************************]>
2019-02-08 10:16:45,305 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Restoring requested
service [AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})] back in
the authentication flow
>
2019-02-08 10:16:45,305 DEBUG
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Removing delegated
client identifier [TST-***************************} from registry>
2019-02-08 10:16:45,306 DEBUG
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Delegated
authentication client is [#SAML2Client# | name: IDP-ENT-test-dev3 |
callbackUrl: https://idp-oidc
.fr/login | urlResolver:
org.pac4j.core.http.url.DefaultUrlResolver@1a8335ef | callbackUrlResolver:
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48630fdc |
ajax
RequestResolver:
org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@625a354d |
redirectActionBuilder:
org.pac4j.saml.redirect.SAML2RedirectActionBuilder@197fae8c |
credentialsExtractor: org.pac4j.saml.cred
entials.extractor.SAML2CredentialsExtractor@1ad0dc01 | authenticator:
org.pac4j.saml.credentials.authenticator.SAML2Authenticator@4a1d2d68 |
profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfi
leCreator@36aab35d | logoutActionBuilder:
org.pac4j.saml.logout.SAML2LogoutActionBuilder@795e993b |
authorizationGenerators: [] |] with service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})}
>
2019-02-08 10:16:45,307 DEBUG
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Located
registered service definition
[OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegiste
redService(serviceId=^service.redirect_uri, name=service.clientId,
theme=null, informationUrl=null, privacyUrl=null, responseType=null,
id=***, descript
ion=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, expirationDate=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPo
licy@1, evaluationOrder=0,
usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=IDO),
logoutType=BACK_CHANNEL, requiredHandlers=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
excludedAttributes=null, includeOnlyAttributes=null),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null), allowedAttributes=[name, family_name,
given_name, middle_name, nickname, preferred_username, profile, picture,
website, gender, birthdate, zoneinfo, locale, updated_at],
scopeName=profile)]),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo],
failureMode=NONE, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
logoutUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]),
requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
caseInsensitive=false), publicKey=null, properties={}, contacts=[]),
clientSecret=secret, clientId=androidGarClient, bypassApprovalPrompt=false,
generateRefreshToken=true, jsonFormat=true, supportedGrantTypes=[],
supportedResponseTypes=[]), jwks=null, signIdToken=true,
encryptIdToken=false, idTokenEncryptionAlg=null,
idTokenEncryptionEncoding=null, sectorIdentifierUri=null,
subjectType=public, dynamicallyRegistered=false, implicit=false,
dynamicRegistrationDateTime=null, scopes=[profile])] matching
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,307 DEBUG
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Located
registered service definition
[OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri,
name=service.clientId, theme=null, informationUrl=null, privacyUrl=null,
responseType=null, id=*****, description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, expirationDate=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
evaluationOrder=0,
usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=*****),
logoutType=BACK_CHANNEL, requiredHandlers=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
excludedAttributes=null, includeOnlyAttributes=null),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null), allowedAttributes=[name, family_name,
given_name, middle_name, nickname, preferred_username, profile, picture,
website, gender, birthdate, zoneinfo, locale, updated_at],
scopeName=profile)]),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo],
failureMode=NONE, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
logoutUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]),
requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
caseInsensitive=false), publicKey=null, properties={}, contacts=[]),
clientSecret=service.secret, clientId=service.clientId,
bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true,
supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null,
signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null,
idTokenEncryptionEncoding=null, sectorIdentifierUri=null,
subjectType=public, dynamicallyRegistered=false, implicit=false,
dynamicRegistrationDateTime=null, scopes=[profile])] matching
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,307 WARN
[org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy]
- <Registered service [service.clientName] does not define any
authorized/supported delegated authentication providers. It is STRONGLY
recommended that you authorize and assign providers to the service
definition. While just a warning for now, this behavior will be enforced by
CAS in future versions.>
2019-02-08 10:16:45,307 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Client Access
Granted,client=IDPSAML2,registeredService=service.clientName:^service.redirect_uri]
ACTION: DELEGATED_CLIENT_SUCCESS
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 10:16:45,307 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Client Access
Granted,client=IDP-SAML2,registeredService=service.clientName:^service.redirect_uri]
ACTION: DELEGATED_CLIENT_SUCCESS
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
2019-02-08 10:16:45,308 DEBUG
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Delegated
authentication policy for
[OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri,
name=service.clientName, theme=null, informationUrl=null, privacyUrl=null,
responseType=null, id=1003, description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, expirationDate=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
evaluationOrder=0,
usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=*******),
logoutType=BACK_CHANNEL, requiredHandlers=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
excludedAttributes=null, includeOnlyAttributes=null),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null), allowedAttributes=[name, family_name,
given_name, middle_name, nickname, preferred_username, profile, picture,
website, gender, birthdate, zoneinfo, locale, updated_at],
scopeName=profile)]),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo],
failureMode=NONE, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
logoutUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]),
requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
caseInsensitive=false), publicKey=null, properties={}, contacts=[]),
clientSecret=service.secret, clientId=service.clientId,
bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true,
supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null,
signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null,
idTokenEncryptionEncoding=null, sectorIdentifierUri=null,
subjectType=public, dynamicallyRegistered=false, implicit=false,
dynamicRegistrationDateTime=null, scopes=[profile])] allows for using
client [#SAML2Client# | name: IDP-SAML2 | callbackUrl:
https://idp-oidc.fr/login | urlResolver:
org.pac4j.core.http.url.DefaultUrlResolver@1a8335ef | callbackUrlResolver:
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48630fdc |
ajaxRequestResolver:
org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@625a354d |
redirectActionBuilder:
org.pac4j.saml.redirect.SAML2RedirectActionBuilder@197fae8c |
credentialsExtractor:
org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@1ad0dc01 |
authenticator:
org.pac4j.saml.credentials.authenticator.SAML2Authenticator@4a1d2d68 |
profileCreator:
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@36aab35d |
logoutActionBuilder:
org.pac4j.saml.logout.SAML2LogoutActionBuilder@795e993b |
authorizationGenerators: [] |]>
2019-02-08 10:16:45,488 DEBUG
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Retrieved
credentials from client as
[SAML2Credentials{nameId=SAMLNameID{format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
nameQualifier='null', spNameQualifier='null', spProviderId='null',
value='userLogged(pseudo)'}, sessionIndex='null',
attributes=[SAMLAttribute{friendlyName='samlAuthenticationStatementAuthMethod',
name='samlAuthenticationStatementAuthMethod', nameFormat='null',
attributeValues=[urn:oasis:names:tc:SAML:1.0:am:password]},
SAMLAttribute{friendlyName='isFromNewLogin', name='isFromNewLogin',
nameFormat='null', attributeValues=[false]},
SAMLAttribute{friendlyName='authenticationDate', name='authenticationDate',
nameFormat='null',
attributeValues=[2019-02-08T10:16:44.509+01:00[Europe/Paris]]},
SAMLAttribute{friendlyName='authenticationMethod',
name='authenticationMethod', nameFormat='null',
attributeValues=[FileAuthenticationHandler]},
SAMLAttribute{friendlyName='successfulAuthenticationHandlers',
name='successfulAuthenticationHandlers', nameFormat='null',
attributeValues=[FileAuthenticationHandler]},
SAMLAttribute{friendlyName='longTermAuthenticationRequestTokenUsed',
name='longTermAuthenticationRequestTokenUsed', nameFormat='null',
attributeValues=[false]}],
conditions=SAMLConditions{notBefore=2019-02-08T09:16:44.605Z,
notOnOrAfter=2019-02-08T09:16:44.605Z}, issuerId='https://idp-SAML2',
authnContexts=[urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified]}]>
2019-02-08 10:16:45,490 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Attempting to resolve authentication event using resolver
[ServiceTicketRequestWebflowEventResolver]>
2019-02-08 10:16:45,491 DEBUG
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
- <Located ticket-granting ticket [null] from the request context>
2019-02-08 10:16:45,491 DEBUG
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
- <Located service [AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})] from
the request context>
2019-02-08 10:16:45,491 DEBUG
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
- <Provided value for [renew] request parameter is [null]>
2019-02-08 10:16:45,491 DEBUG
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
- <Request is not eligible to be issued service tickets just yet>
2019-02-08 10:16:45,492 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Attempting to resolve authentication event using resolver
[InitialAuthenticationAttemptWebflowEventResolver]>
2019-02-08 10:16:45,524 DEBUG
[org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler]
- <Located client credentials as [ClientCredential(typedIdUsed=false,
userProfile=#SAML2Profile# | id: userPseudo | attributes:
{samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password],
isFromNewLogin=[false],
authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]],
authenticationMethod=[FileAuthenticationHandler],
successfulAuthenticationHandlers=[FileAuthenticationHandler],
notOnOrAfter=2019-02-08T09:16:44.605Z,
longTermAuthenticationRequestTokenUsed=[false],
notBefore=2019-02-08T09:16:44.605Z} | roles: [] | permissions: [] |
isRemembered: false | clientName: IDP-SAML2 | linkedId: null |,
credentials=SAML2Credentials{nameId=SAMLNameID{format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
nameQualifier='null', spNameQualifier='null', spProviderId='null',
value='userPseudo'}, sessionIndex='null',
attributes=[SAMLAttribute{friendlyName='samlAuthenticationStatementAuthMethod',
name='samlAuthenticationStatementAuthMethod', nameFormat='null',
attributeValues=[urn:oasis:names:tc:SAML:1.0:am:password]},
SAMLAttribute{friendlyName='isFromNewLogin', name='isFromNewLogin',
nameFormat='null', attributeValues=[false]},
SAMLAttribute{friendlyName='authenticationDate', name='authenticationDate',
nameFormat='null',
attributeValues=[2019-02-08T10:16:44.509+01:00[Europe/Paris]]},
SAMLAttribute{friendlyName='authenticationMethod',
name='authenticationMethod', nameFormat='null',
attributeValues=[FileAuthenticationHandler]},
SAMLAttribute{friendlyName='successfulAuthenticationHandlers',
name='successfulAuthenticationHandlers', nameFormat='null',
attributeValues=[FileAuthenticationHandler]},
SAMLAttribute{friendlyName='longTermAuthenticationRequestTokenUsed',
name='longTermAuthenticationRequestTokenUsed', nameFormat='null',
attributeValues=[false]}],
conditions=SAMLConditions{notBefore=2019-02-08T09:16:44.605Z,
notOnOrAfter=2019-02-08T09:16:44.605Z},
issuerId='https://IDP-SAML2/cas/idp',
authnContexts=[urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified]},
clientName=IDP-SAML2.clientName)]>
2019-02-08 10:16:45,524 DEBUG
[org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler]
- <Client name: [IDP-SAML2.clientName]>
2019-02-08 10:16:45,525 DEBUG
[org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler]
- <Delegated client is: [#SAML2Client# | name: IDP-SAML2.clientName |
callbackUrl: https://idp-oidc.fr/login | urlResolver:
org.pac4j.core.http.url.DefaultUrlResolver@1a8335ef | callbackUrlResolver:
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48630fdc |
ajaxRequestResolver:
org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@625a354d |
redirectActionBuilder:
org.pac4j.saml.redirect.SAML2RedirectActionBuilder@197fae8c |
credentialsExtractor:
org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@1ad0dc01 |
authenticator:
org.pac4j.saml.credentials.authenticator.SAML2Authenticator@4a1d2d68 |
profileCreator:
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@36aab35d |
logoutActionBuilder:
org.pac4j.saml.logout.SAML2LogoutActionBuilder@795e993b |
authorizationGenerators: [] |]>
2019-02-08 10:16:45,525 DEBUG
[org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler]
- <Final user profile is: [#SAML2Profile# | id: userPseudo | attributes:
{samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password],
isFromNewLogin=[false],
authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]],
authenticationMethod=[FileAuthenticationHandler],
successfulAuthenticationHandlers=[FileAuthenticationHandler],
notOnOrAfter=2019-02-08T09:16:44.605Z,
longTermAuthenticationRequestTokenUsed=[false],
notBefore=2019-02-08T09:16:44.605Z} | roles: [] | permissions: [] |
isRemembered: false | clientName: IDP-SAML2.clientName | linkedId: null |]>
2019-02-08 10:16:45,546 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: userPseudo
WHAT: Supplied credentials: [ClientCredential(typedIdUsed=false,
userProfile=#SAML2Profile# | id: userPseudo | attributes:
{samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password],
isFromNewLogin=[false],
authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]],
authenticationMethod=[FileAuthenticationHandler],
successfulAuthenticationHandlers=[FileAuthenticationHandler],
notOnOrAfter=2019-02-08T09:16:44.605Z,
longTermAuthenticationRequestTokenUsed=[false],
notBefore=2019-02-08T09:16:44.605Z} | roles: [] | permissions: [] |
isRemembered: false | clientName: service.clientName | linkedId: null |,
credentials=SAML2Credentials{nameId=SAMLNameID{format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
nameQualifier='null', spNameQualifier='null', spProviderId='null',
value='userPseudo'}, sessionIndex='null',
attributes=[SAMLAttribute{friendlyName='samlAuthenticationStatementAuthMethod',
name='samlAuthenticationStatementAuthMethod', nameFormat='null',
attributeValues=[urn:oasis:names:tc:SAML:1.0:am:password]},
SAMLAttribute{friendlyName='isFromNewLogin', name='isFromNewLogin',
nameFormat='null', attributeValues=[false]},
SAMLAttribute{friendlyName='authenticationDate', name='authenticationDate',
nameFormat='null',
attributeValues=[2019-02-08T10:16:44.509+01:00[Europe/Paris]]},
SAMLAttribute{friendlyName='authenticationMethod',
name='authenticationMethod', nameFormat='null',
attributeValues=[FileAuthenticationHandler]},
SAMLAttribute{friendlyName='successfulAuthenticationHandlers',
name='successfulAuthenticationHandlers', nameFormat='null',
attributeValues=[FileAuthenticationHandler]},
SAMLAttribute{friendlyName='longTermAuthenticationRequestTokenUsed',
name='longTermAuthenticationRequestTokenUsed', nameFormat='null',
attributeValues=[false]}],
conditions=SAMLConditions{notBefore=2019-02-08T09:16:44.605Z,
notOnOrAfter=2019-02-08T09:16:44.605Z},
issuerId='https://IDP-SAML2/cas/idp',
authnContexts=[urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified]},
clientName=IDP-SAML2.clientName)]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 10:16:45,550 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <Locating service [AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})] in
service registry to determine authentication policy>
2019-02-08 10:16:45,550 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <Locating authentication event in the request context...>
2019-02-08 10:16:45,550 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <Enforcing access strategy policies for registered service
[OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri,
name=service.clientName, theme=null, informationUrl=null, privacyUrl=null,
responseType=null, id=1003, description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, expirationDate=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
evaluationOrder=0,
usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=*****),
logoutType=BACK_CHANNEL, requiredHandlers=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
excludedAttributes=null, includeOnlyAttributes=null),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null), allowedAttributes=[name, family_name,
given_name, middle_name, nickname, preferred_username, profile, picture,
website, gender, birthdate, zoneinfo, locale, updated_at],
scopeName=profile)]),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo],
failureMode=NONE, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
logoutUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]),
requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
caseInsensitive=false), publicKey=null, properties={}, contacts=[]),
clientSecret=service.secret, clientId=service.clientId,
bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true,
supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null,
signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null,
idTokenEncryptionEncoding=null, sectorIdentifierUri=null,
subjectType=public, dynamicallyRegistered=false, implicit=false,
dynamicRegistrationDateTime=null, scopes=[profile])] and principal
[SimplePrincipal(id=userPseudo,
attributes={samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password],
isFromNewLogin=[false],
authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]],
authenticationMethod=[FileAuthenticationHandler],
successfulAuthenticationHandlers=[FileAuthenticationHandler],
notOnOrAfter=2019-02-08T09:16:44.605Z,
longTermAuthenticationRequestTokenUsed=[false],
notBefore=2019-02-08T09:16:44.605Z})]>
2019-02-08 10:16:45,557 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: userPseudo
WHAT: [result=Service Access
Granted,service=service.redirect_uri,principal=SimplePrincipal(id=userPseudo,
attributes={samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password],
isFromNewLogin=[false],
authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]],
authenticationMethod=[FileAuthenticationHandler],
successfulAuthenticationHandlers=[FileAuthenticationHandler],
notOnOrAfter=2019-02-08T09:16:44.605Z,
longTermAuthenticationRequestTokenUsed=[false],
notBefore=2019-02-08T09:16:44.605Z}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 10:16:45,558 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <Attempting to resolve candidate authentication events for service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,566 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <Resolving candidate authentication event for service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})] using
[AdaptiveMultifactorAuthenticationPolicyEventResolver]>
2019-02-08 10:16:45,568 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Attempting to resolve authentication event using resolver
[AdaptiveMultifactorAuthenticationPolicyEventResolver]>
2019-02-08 10:16:45,568 DEBUG
[org.apereo.cas.web.flow.resolver.impl.mfa.adaptive.AdaptiveMultifactorAuthenticationPolicyEventResolver]
- <Adaptive authentication is not configured to require multifactor
authentication>
2019-02-08 10:16:45,592 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <Resolving candidate authentication event for service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})] using
[RequestParameterMultifactorAuthenticationPolicyEventResolver]>
2019-02-08 10:16:45,594 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Attempting to resolve authentication event using resolver
[RequestParameterMultifactorAuthenticationPolicyEventResolver]>
2019-02-08 10:16:45,595 DEBUG
[org.apereo.cas.web.flow.resolver.impl.mfa.request.RequestParameterMultifactorAuthenticationPolicyEventResolver]
- <No value could be found for request parameter [authn_method]>
2019-02-08 10:16:45,601 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <Resolving candidate authentication event for service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})] using
[RequestHeaderMultifactorAuthenticationPolicyEventResolver]>
2019-02-08 10:16:45,602 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Attempting to resolve authentication event using resolver
[RequestHeaderMultifactorAuthenticationPolicyEventResolver]>
2019-02-08 10:16:45,685 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Attempting to resolve authentication event using resolver
[OidcAuthenticationContextWebflowEventResolver]>
2019-02-08 10:16:45,685 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Attempting to resolve authentication event using resolver
[OidcAuthenticationContextWebflowEventResolver]>
2019-02-08 10:16:45,686 DEBUG
[org.apereo.cas.oidc.web.flow.OidcAuthenticationContextWebflowEventResolver]
- <No ACR provided in the authentication request>
2019-02-08 10:16:45,686 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No candidate authentication events were resolved for service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,686 DEBUG
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No candidate authentication events were resolved for service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,686 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Resolved single event [success] via
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
for this context>
2019-02-08 10:16:45,686 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<Resolved single event [success] via
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
for this context>
2019-02-08 10:16:45,687 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Finalizing authentication transactions and issuing ticket-granting ticket>
2019-02-08 10:16:45,687 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Finalizing authentication transactions and issuing ticket-granting ticket>
2019-02-08 10:16:45,695 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Finalizing authentication event...>
2019-02-08 10:16:45,695 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Finalizing authentication event...>
2019-02-08 10:16:45,696 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Creating ticket-granting ticket, potentially based on [null]>
2019-02-08 10:16:45,696 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Creating ticket-granting ticket, potentially based on [null]>
2019-02-08 10:16:45,696 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Attempting to issue a new ticket-granting ticket...>
2019-02-08 10:16:45,696 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Attempting to issue a new ticket-granting ticket...>
2019-02-08 10:16:45,705 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: userPseudo
WHAT: [result=Service Access
Granted,service=service.redirect_uri,principal=SimplePrincipal(id=userPseudo,
attributes={samlAuthenticationStatementAuthMethod=[urn:
oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[false],
authenticationDate=[2019-02-08T10:16:44.509+01:00[Europe/Paris]],
authenticationMethod=[FileAuthenticationHandler],
successfulAuthenticationHandle
rs=[FileAuthenticationHandler], notOnOrAfter=[2019-02-08T09:16:44.605Z],
longTermAuthenticationRequestTokenUsed=[false],
notBefore=[2019-02-08T09:16:44.605Z]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 10:16:45,731 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: userPseudo
WHAT:
TGT-1-*******************************************************************************************st-oidc.fr
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
>
2019-02-08 10:16:45,731 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: userPseudo
WHAT:
TGT-1-*******************************************************************************************st-oidc.fr
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: ip
SERVER IP ADDRESS: ip
=============================================================
2019-02-08 10:16:45,732 DEBUG
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] -
<Calculating authentication warning messages...>
2019-02-08 10:16:45,733 DEBUG
[org.apereo.cas.web.flow.DefaultSingleSignOnParticipationStrategy] -
<Located [^service.redirect_uri] in registry. Service access to participate
in SSO is set to [true]>
2019-02-08 10:16:45,734 DEBUG
[org.apereo.cas.web.flow.login.SendTicketGrantingTicketAction] - <Setting
ticket-granting cookie for current session linked to
[TGT-1-*******************************************************************************************st-oidc.fr].>
2019-02-08 10:16:45,737 DEBUG
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Service asking for
service ticket is [AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,737 DEBUG
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Ticket-granting
ticket found in the context is
[TGT-1-*******************************************************************************************st-oidc.fr]>
2019-02-08 10:16:45,745 DEBUG
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Registered service
asking for service ticket is
[OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri,
name=service.clientName, theme=null, informationUrl=null, privacyUrl=null,
responseType=null, id=****, description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, expirationDate=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
evaluationOrder=0,
usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=****),
logoutType=BACK_CHANNEL, requiredHandlers=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
excludedAttributes=null, includeOnlyAttributes=null),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null), allowedAttributes=[name, family_name,
given_name, middle_name, nickname, preferred_username, profile, picture,
website, gender, birthdate, zoneinfo, locale, updated_at],
scopeName=profile)]),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo],
failureMode=NONE, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
logoutUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]),
requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
caseInsensitive=false), publicKey=null, properties={}, contacts=[]),
clientSecret=service.clientSecret, clientId=service.clientId,
bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true,
supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null,
signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null,
idTokenEncryptionEncoding=null, sectorIdentifierUri=null,
subjectType=public, dynamicallyRegistered=false, implicit=false,
dynamicRegistrationDateTime=null, scopes=[profile])]>
2019-02-08 10:16:45,746 DEBUG
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Built the final
authentication result [DefaultAuthenticationResult(credentialProvided=true,
authentication=org.apereo.cas.authentication.DefaultAuthentication@8e4e9ee1,
service=AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={}))] to
grant service ticket to
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,750 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: userPseudo
WHAT: [result=Service Access
Granted,service=service.redirect_uri,requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: idp
SERVER IP ADDRESS: idp
=============================================================
>
2019-02-08 10:16:45,775 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: userPseudo
WHAT: ST-1-****idp-oidc.fr for service.redirect_uri
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Feb 08 10:16:45 CET 2019
CLIENT IP ADDRESS: idp
SERVER IP ADDRESS: idp
=============================================================
>
2019-02-08 10:16:45,780 DEBUG
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Granted service
ticket [ST-1-****idp-oidc.fr] and added it to the request scope>
2019-02-08 10:16:45,781 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located
service [AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo,
source=service, loggedOutAlready=false, format=XML, attributes={})] from
the context>
2019-02-08 10:16:45,781 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located
authentication
[org.apereo.cas.authentication.DefaultAuthentication@5ecac821] from the
context>
2019-02-08 10:16:45,782 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located
service response builder
[org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder@f5c1f973]
for [AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,787 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Built response
[org.apereo.cas.authentication.principal.DefaultResponse@19db421] for
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo,
source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-02-08 10:16:45,787 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Signaling flow
to redirect to service
[AbstractWebApplicationService(id=service.redirect_uri,
originalUrl=service.redirect_uri, artifactId=null, principal=userPseudo,
source=service, loggedOutAlready=false, format=XML, attributes={})] via
event [redirect]>
I don't know when the error occured. I will publish the logs about OIDC
authentication later
Thanks for your help,
Kyra
Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x
>
> When I use the OIDC authentication without delegation, the workflow is
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page
> service?ticket=ST-x
> <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> and I have a code 302
>
>
> I found this issue in the github which seems to correspond to my problem
> https://github.com/apereo/cas/pull/3664.
> It describe the same issue in CAS 5.3.x in the SAML2 protocol before the
> bug was fixed. It didn't concern the delegation.
> Could it be this problem is related to my issue?
>
> Thanks for any help.
>
> Kyra
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d40d599d-c2c7-40c6-8ade-69d1e0d9c60e%40apereo.org.
