Hi @leleuj, This is the behavior that I am seeing in 5.2.7: - if I have a single delegated idp, this works https://myapppretectedwithcas?client_name=remoteidp1. It works great; get redirected to remoteidp1 comes back to app, great.
cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login cas.authn.pac4j.cas[0].protocol=CAS20 cas.authn.pac4j.cas[0].clientName=remoteidp1 cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything cas.authn.pac4j.autoRedirect=true # i guess this works - but if I have two idps, then https://myapppretectedwithcas?client_name=remoteidp1 does not work anymore cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login cas.authn.pac4j.cas[0].protocol=CAS20 cas.authn.pac4j.cas[0].clientName=remoteidp1 cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything cas.authn.pac4j.autoRedirect=true # i guess this works cas.authn.pac4j.cas[1].loginUrl=https://remoteidp2/cas/login cas.authn.pac4j.cas[1].protocol=CAS20 cas.authn.pac4j.cas[1].clientName=remoteidp2 Now, nothing works, this does not work meaning the user is just presented with the WAYF page, but they are not sent to the IDPs directly https://myapppretectedwithcas?client_name=remoteidp2 this does not work https://myapppretectedwithcas?client_name=remoteidp1 On Friday, April 20, 2018 at 9:04:25 AM UTC-4 leleuj wrote: > Hi, > > I'm resuming on your latest message. > > Yes, you do need a callback URL for your application. > > This is the doc you are looking for: > https://apereo.github.io/cas/5.2.x/installation/Service-Management.html > > Every time you want an application to log in to the CAS server, the CAS > server must know it. Thus the declaration of the CAS services and callback > URLs. > > Thanks. > Best regards, > Jérôme > > > > On Thu, Apr 19, 2018 at 10:39 PM, Steve Hespelt <[email protected]> wrote: > >> Well, I stumbled across a few config properties I decided to try >> (desperate people do desperate things...) >> >> cas.http-web-request.cors.allow-credentials=true >> # ? where are login requests coming from? Our webapp server name(s) >> # is this needed to get the final redirect back to our app ?? >> cas.http-web-request.cors.allow-origins=localhost >> # ?? >> cas.webflow.redirect-same-state=true >> >> Restarted CAS, same test case. >> now I see this warning log: >> 2018-04-19 15:47:48,430 WARN >> [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - <Service Management: >> missing service. Service [ >> https://localhost:8449/callback?client_name=CasClient] is not found in >> service registry.> >> ^^^^ I have to have a Service defined for the call back to the initial >> app ??? >> >> >> 2018-04-19 15:47:48,432 DEBUG >> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting >> to handle [org.springframework.webflow.execution.ActionExecutionException: >> Exception thrown executing >> org.apereo.cas.web.flow.ServiceAuthorizationCheck@5fad865 in state >> 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes >> were 'map[[empty]]'] with root cause >> [org.apereo.cas.services.UnauthorizedServiceException: Service Management: >> missing service. Service [ >> https://localhost:8449/callback?client_name=CasClient] is not found in >> service registry.]> >> >> Has anyone actually gotten delegated authentication to flow from CAS back >> to an app that used the CAS protocol to request authentication to work? >> using CAS 5.2.x ? Reading tons of CAS docs have provided no magic beans, >> nor did any page mention having to have a call back service defined... >> Am I frustrated? You bet. >> Is it correct for me to assume that this use case is 'typical' and that >> being tyhttps:// >> apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical, >> the default webflow definitions in CAS 5.2.2 ought to provide for it >> working? The docs at >> https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html >> certainly suggest to me that's the case. >> Sure would like to make use of many of the positive features described in >> CAS 5.2.x. But I have to wonder if I'm missing much of the necessary >> details. I would like to avoid implementing all the features myself. Never >> been a big fan of the "let's reinvent the wheel" school of development. >> But... >> >> Any insights, magic beans greatly appreciated. >> -steve >> >> >> On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote: >>> >>> Hi Jérôme, >>> I found an earlier posting >>> <https://groups.google.com/a/apereo.org/d/msg/cas-user/bGZam9qkP3E/IKPTYzp7AQAJ> >>> >>> from 12/21/17 regarding the NPEs, so as suggested by that posting, I >>> restarted CAS & then cleared all related cookies from the browser. Once I >>> restart CAS & re-initiated the same flow, no more NPE as shown in my log. >>> But I still have the problem with the webflow not finishing as I expect. >>> I increased the log level to trace on a few packages: >>> org.apereo.cas.web.flow >>> org.springframework.webflow >>> org.springframework.session >>> org.springframework.web >>> org.springframework.web.socket >>> Some log entries of interest (to me): (and I'm currently guessing the >>> issue may be related to a SSO log msg at 2018-04-19 11:53:23,186 >>> below. Why would a service not be allowed to use SSO ? >>> -steve >>> >>> 2018-04-19 11:53:01,183 TRACE >>> [org.springframework.web.servlet.DispatcherServlet] - <Bound request >>> context to thread: org.apache.catalina.connector.RequestFacade@33327a12> >>> <- this object ref# shows up later, at the bottom so I'm correlating >>> this initial log with the later ('completion' ) log msg below with the same >>> object ref#... >>> 2018-04-19 11:53:01,183 DEBUG >>> [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet >>> with name 'dispatcherServlet' processing GET request for [/cas/login]> >>> >>> 2018-04-19 11:53:01,209 TRACE >>> [org.apereo.cas.web.CasWebApplicationContext] - <Publishing event in >>> org.apereo.cas.web.CasWebApplicationContext@222545dc: >>> ServletRequestHandledEvent: url=[/cas/login]; client=[0:0:0:0:0:0:0:1]; >>> method=[GET]; servlet=[dispatcherServlet]; >>> session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms]; >>> status=[OK]> <- From the pac4j demo's SecurityFilter redirect to >>> initial request on /cas/index.jsp >>> >>> 2018-04-19 11:53:22,914 DEBUG >>> [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet >>> with name 'dispatcherServlet' processing GET request for [/cas/login]> >>> >>> 2018-04-19 11:53:22,921 TRACE >>> [org.springframework.web.servlet.DispatcherServlet] - <Testing handler map >>> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping@2ee91bdf] in >>> DispatcherServlet with name 'dispatcherServlet'> >>> 2018-04-19 11:53:22,921 DEBUG >>> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping >>> request with URI '/cas/login' to flow with id 'login'> >>> >>> 2018-04-19 11:53:22,921 DEBUG >>> [org.springframework.webflow.executor.FlowExecutorImpl] - <Launching new >>> execution of flow 'login' with input map['state' -> >>> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> >>> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', >>> >>> 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', >>> 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> >>> 2018-04-19 11:53:22,921 DEBUG >>> [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] >>> >>> - <Getting FlowDefinition with id 'login'> >>> 2018-04-19 11:53:22,921 DEBUG >>> [org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - >>> <Creating new execution of 'login'> >>> 2018-04-19 11:53:22,921 DEBUG >>> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Starting in >>> org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f >>> with input map['state' -> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', >>> 'code' -> >>> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', >>> >>> 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', >>> 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> >>> 2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.engine.Flow] >>> - <Creating [FlowVariable@c58f8bd name = 'credential', valueFactory = >>> [BeanFactoryVariableValueFactory@5cab14e3 type = >>> UsernamePasswordCredential]]> >>> 2018-04-19 11:53:22,922 DEBUG >>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>> [EvaluateAction@29e2f697 expression = initialFlowSetupAction, >>> resultExpression = [null]]> >>> 2018-04-19 11:53:22,922 DEBUG >>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>> org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f> >>> 2018-04-19 11:53:22,922 DEBUG >>> [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is >>> set to [null] and path [/cas/]> >>> 2018-04-19 11:53:22,922 DEBUG >>> [org.apereo.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set >>> to [null] and path [/cas/]> >>> 2018-04-19 11:53:22,923 DEBUG >>> [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - >>> <No service is specified in the request. Skipping service creation> >>> 2018-04-19 11:53:22,923 DEBUG >>> [org.apereo.cas.web.support.DefaultArgumentExtractor] >>> - <No service could be extracted based on the given request> >>> 2018-04-19 11:53:22,923 DEBUG >>> [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not >>> generate service.> >>> 2018-04-19 11:53:22,924 DEBUG >>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>> executing org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f; result = >>> success> >>> [...] >>> 2018-04-19 11:53:22,924 DEBUG >>> [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication >>> response successful> >>> 2018-04-19 11:53:23,183 DEBUG >>> [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] >>> - <Token response: status=200, content={ >>> "access_token": >>> "ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA", >>> "token_type": "Bearer", >>> "expires_in": 3599, >>> "id_token": "eyJhbGc [...]DQ" >>> } >>> > >>> 2018-04-19 11:53:23,184 DEBUG >>> [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] >>> - <Token response successful> >>> 2018-04-19 11:53:23,184 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - >>> <Credentials validation took: 260 ms> >>> 2018-04-19 11:53:23,184 DEBUG >>> [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] >>> - <Retrieved credentials: [#OidcCredentials# | code: >>> 4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME >>> >>> | clientName: GoogleOIDC | accessToken: >>> ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA >>> >>> | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@65ff182d |]> >>> 2018-04-19 11:53:23,184 DEBUG >>> [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] >>> - <Retrieve service: >>> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= >>> https://localhost:8449/callback?client_name=CasClient,originalUrl= >>> https://localhost:8449/callback?client_name=CasClient >>> ,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]> >>> ^^^^ so CAS has the callback to >>> provide the pac4j demo the credentials >>> >>> 2018-04-19 11:53:23,186 TRACE [org.apereo.cas.util.CollectionUtils] - >>> <Converting attribute >>> [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler@462b239f]> >>> 2018-04-19 11:53:23,186 WARN >>> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] >>> >>> - <Service [null] is not allowed to use SSO.> >>> 2018-04-19 11:53:23,187 TRACE >>> [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving >>> principal at audit point [execution(Authentication >>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(Authentication >>> Transaction))]> >>> 2018-04-19 11:53:23,187 INFO >>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> [...] >>> 2018-04-19 11:53:23,190 DEBUG >>> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting >>> to handle [org.springframework.webflow.execution.ActionExecutionException: >>> Exception thrown executing org.apereo.cas.support.pac4j.web.f >>> low.DelegatedClientAuthenticationAction@7ce721a9 in state 'clientAction' >>> of flow 'login' -- action execution attributes were 'map[[empty]]'] >>> org.springframework.webflow.execution.ActionExecutionException: Exception >>> thrown executing >>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@7ce721a9 >>> >>> in state 'clientAction' of flow 'login' -- action execution attributes were >>> 'map[[empty]]' >>> at >>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.engine.State.enter(State.java:194) >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) >>> >>> ~[spring-webflow-2.4.6.RELEASE.j >>> >>> >>> 2018-04-19 11:53:23,211 DEBUG >>> [org.springframework.webflow.mvc.view.AbstractMvcView] - <Rendering MVC [ >>> org.thymeleaf.spring4.view.ThymeleafView@5a9194a2] with model map >>> [{passwordManagementEnabled=false, recaptchaSiteKey=null, >>> viewScope=map[[empty]], warnCookieValue=false, >>> org.springframework.validation.BindingResult.credential=org. >>> springframework.webflow.mvc.view.BindingModel: 0 errors, >>> staticAuthentication=true, >>> flowExecutionUrl=/cas/login?client_name=GoogleOIDC&state=ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s&code=4%2FAAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME&authuser=0&session_state >>> =6cd666a9989ac714aac38521f950f380ba3fcfc0..b199&prompt=none& >>> execution=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAAA [...] AAA%3D, >>> rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: >>> service.not.authorized.sso, >>> flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = >>> org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, >>> currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> >>> [null]], attributes = map[[empty]], messageContext = >>> [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> >>> list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = >>> 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', >>> state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, >>> 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], >>> 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> >>> false, 'staticAuthentication' -> true, 'service' -> >>> org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= >>> https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], >>> >>> 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], >>> 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, >>> currentUser=null, credential=null, >>> flowExecutionKey=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAA >>> [...] AA%3D, >>> rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: >>> service.not.authorized.sso, >>> flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = >>> org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, >>> currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> >>> [null]], attributes = map[[empty]], messageContext = >>> [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> >>> list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = >>> 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', >>> state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, >>> 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], >>> 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> >>> false, 'staticAuthentication' -> true, 'service' -> >>> org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= >>> https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], >>> >>> 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], >>> 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, >>> currentUser=null, credential=null, flowExecutionKey=35aa2986 >>> >>> [...] >>> 2018-04-19 11:53:23,237 DEBUG >>> [org.apereo.cas.services.web.ChainingThemeResolver] - <No specific theme >>> could be found. Using default theme [cas-theme-default}> >>> 2018-04-19 11:53:23,266 DEBUG >>> [org.springframework.webflow.engine.Transition] - <Completed transition >>> execution. As a result, the new state is 'viewLoginForm' in flow >>> 'login'> >>> 2018-04-19 11:53:23,267 TRACE >>> [org.springframework.web.servlet.DispatcherServlet] - <Cleared thread-bound >>> request context: org.apache.catalina.connector.RequestFacade@33327a12> <- >>> same object ref# as in the initial above log msg. >>> 2018-04-19 11:53:23,267 DEBUG >>> [org.springframework.web.servlet.DispatcherServlet] - <Successfully >>> completed request> >>> >>> >>> >>> >>>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b04acace-f3d2-4d4e-a4e2-84314c92aa54%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b04acace-f3d2-4d4e-a4e2-84314c92aa54%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/77b20402-03d7-4e94-bca6-917de3778d32n%40apereo.org.
