I tried adding ClientAuthenticationHandler to the list of required handlers for the service.
"requiredHandlers": ["java.util.HashSet", ["jdbcHandler", "ClientAuthenticationHandler" ], Authentication works now but the service ticket doesn't validate. Ticket 'ST-9-xbUKZzA92DUsQtx7Gopfen11sxgip-192-168-1-254' does not match supplied service. The original service was 'https://localhost:8445/c/portal/login?p_l_id=20146' and the supplied service was 'https://localhost:8445/c/portal/login?p_l_id=20146'. The CAS logs show the service ticket validation and it looks successful but the calling code gets the response above. > 2021-04-27 08:57:46,560 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: org.pac4j.oidc.profile.OidcProfile#445209 WHAT: ST-9-xbUKZzA92DUsQtx7Gopfen11sxgip-192-168-1-254 for https://localhost:8445/c/portal/login?p_l_id=20146 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Tue Apr 27 08:57:46 EDT 2021 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ============================================================= This feels like a bug to me. There should be a way to specify a specific handler, but also allow delegated authentication. Abre On Friday, April 23, 2021 at 2:02:38 PM UTC-4 Abre Chase wrote: > Our application has multiple JDBC authentication sources, so we are using > requiredHandlers so each service will authenticate against the correct > database. Now we are trying to turn on delegated authentication to allow > login from an OIDC IdP. When requiredHandlers has a value, the OIDC login > fails because even though the user has passed the delegated authentication > the code still forces them through the requiredHandlers as well. When I > remove requiredHandlers, the OIDC delegated authentication works correctly > but normal login doesn't use only the correct authentication handler. > > Is there a way to specify a specific authentication source for a service > and also allow delegated authentication at the same time? > > My service configuration file looks something like: > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^https://localhost:8445.*";, > "name" : "localhost", > "id" : 4, > "requiredHandlers": ["java.util.HashSet", ["jdbcHandler" ]], > "evaluationOrder" : 4, > "accessStrategy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > "delegatedAuthenticationPolicy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", > "allowedProviders" : [ "java.util.ArrayList", [ "oidcIdp"] ], > "permitUndefined": true, > "exclusive": false > } > } > } > > Thanks for any advice, > > Abre > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6fe01e08-cd08-4110-9f08-a7a4e7e36838n%40apereo.org.
