It looks like TGC is getting clobbered. On redirect back to CAS with id_token: https://mydomain.com/cas/login?id_token=<REMOVED>&state=bfed6b9641&session_state=<REMOVE>&client_name=AzureAdClient
I'm getting two TGC cookie values: TGC=<REMOVED>; Path=/cas; SameSite=None; Secure; HttpOnly LANGUAGE_OPTION=en; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT TGC=""; Version=1; Path=/cas; Secure; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Comment="CAS Cookie" This is out of the box CAS v 6.6.14. -psv On Tuesday, January 2, 2024 at 10:31:58 AM UTC-6 Pablo Vidaurri wrote: > Hello, still struggling with getting Azure AD setup. Tried with both CAS > 6.6.8 and 6.6.12. > > - I am able to display the button for delegated login > - I get redirected to Azure when clicked > - I am able to login with my AD credentials > - I get redirected to my app with id_token query param which contains > jwt of my user attributes > - I can verify the id_token value using jwt.ms to view the decoded > token. > - I am able to see default casGenericSuccessView.html page with > principal and user attributes from AD > - But it does not look like a session is actually created. > https://mydomain.com/security/actuator/sso returns a 400 > > This is not problem when I use ldap to authenticate. > > In my db, i see TransientSessionTicket and TicketGrantingTicket records > being created. > > I have the following config: > > cas.authn.pac4j.oidc[0].azure.discovery-uri= > https://login.microsoftonline.com/ > <hidden>/v2.0/.well-known/openid-configuration > cas.authn.pac4j.oidc[0].azure.id=<hidden> > cas.authn.pac4j.oidc[0].azure.secret=<hidden> > cas.authn.pac4j.oidc[0].azure.tenant=<hidden> > cas.authn.pac4j.oidc[0].azure.mapped-claims.Email=upn > > cas.authn.pac4j.oidc[0].azure.enabled=true > cas.authn.pac4j.oidc[0].azure.client-name=AzureAdClient > cas.authn.pac4j.oidc[0].azure.display-name=Azure AD > cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE > cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER > cas.authn.pac4j.oidc[0].azure.logout-url= > https://login.microsoftonline.com/common/oauth2/logout > cas.authn.pac4j.oidc[0].azure.use-nonce=true > > cas.authn.pac4j.oidc[0].azure.principal-attribute-id=userId > cas.authn.pac4j.oidc[0].azure.response-mode=form_post > cas.authn.pac4j.oidc[0].azure.response-type=id_token > cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email > > Any insight would be appreciated. > -psv > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f3a0d67-6f2d-4662-bd4d-fdc6be600baen%40apereo.org.
