here is what I try to do, AppB, authenticated by CAS. AppB does Not speak SAML, it uses CAS protocol to authenticate against CAS.
With SP initiated flow, i go to AppB, it redirects to CAS (cas protocol, NO SAML), CAS then delegates authN to Okta using SAML and validates SAML response, CAS SSO session created, user is in AppB. This is working. There is No SAML between AppB and CAS, there is SAML between CAS and Okta. In IdP initiated flow, I want Okta to post SAMLResponse to CAS SSO endpoint: /idp/profile/SAML2/Unsolicited/SSO, then something on URL (such as ProviderId parameter) will redirect to AppB URL after SAML response is validated and CAS session created. Next, user is directed to B, B uses CAS protocol for authN, CAS session is created, so user is in B. When I tried, it does not work that way. I got error on /idp/profile/SAML2/Unsolicited/SSO, this does Not accept HTTP POST, it expects GET, But IdP initiated flow always does POST since SAML response is included. I hope that makes sense. Yan On Monday, December 4, 2023 at 2:46:08 PM UTC-5 Ray Bon wrote: Yan, Could you configure IdP initiated login to redirect to appB rather than cas? fails due to the following, Is something missing after this? Ray On Mon, 2023-11-27 at 11:36 -0800, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, I am on CAS 6.4.x. Two apps, appA, authenticated by Okta, and appB, authenticated by CAS, cas delegates authN to Okta for appB. This is working correctly: I login to appA via Okta, when I got to appB URL, SSO happens. If I go straight to appB without login to Okta first, delegated authN takes me to Okta login page, etc. That works, partly because I have setup an Application inside Okta Admin portal, for Okta to post SAML response to CAS SSO endpoint: https://..../cas/login?client_name=Okta But, this is Not working. I login to my Okta portal, I click on the SAML2 application icon in Okta portal, i.e., Idp initiated flow, I expect that I will be in appB via SSO, but I am getting "application not authorized error" on CAS. Using SAML tracer, I found the SAML payload is almost identical in both cases, but the IdP-initiated flow fails due to the following, is that because there is Not CAS delegating to Okta, since it is Okta-initiated request, so the call fails? What do I need to do to make Idp initiated flow (i.e., initiated by Okta, which CAS delegates authN to) work? Thanks! protected TransientSessionTicket retrieveSessionTicketViaClientId(final WebContext webContext, final String clientId) { try { val ticket = configContext.getCentralAuthenticationService().getTicket(clientId, TransientSessionTicket.class); LOGGER.debug("Located delegated authentication client identifier as [{}]", ticket.getId()); return ticket; } catch (final Exception e) { LOGGER.error("Delegated client identifier cannot be located in the authentication request [{}]", webContext.getFullRequestURL()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/15356588-638f-4cbc-a7f7-3bb012e15d95n%40apereo.org.
