To close on this issue. I found it was related to having to TGC cookies. Stumbling across this post <https://groups.google.com/u/1/a/apereo.org/g/cas-user/c/xsc-_CTMjvA>, I see the same use case being an issue since 2021. I have users either login into CAS login page directly which authenticates against LDAP or the user clicks on a delegated login button (out of the box function via config) which redirects them to Azure AD for authentication. It is when the user clicks on the Azure AD button that I get two TGC and no session get created on the browser.
I've worked around this for now by commenting out this line from *InitialFlowSetupAction*.java *configureWebflowForTicketGrantingTicket * method. clearTicketGrantingCookieFromContext(context, null); -psv On Tuesday, January 2, 2024 at 8:33:58 PM UTC-6 Pablo Vidaurri wrote: > It looks like TGC is getting clobbered. > > On redirect back to CAS with id_token: > https://mydomain.com/cas/login?id_token= > <REMOVED>&state=bfed6b9641&session_state=<REMOVE>&client_name=AzureAdClient > > I'm getting two TGC cookie values: > TGC=<REMOVED>; Path=/cas; SameSite=None; Secure; HttpOnly > LANGUAGE_OPTION=en; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 > GMT > TGC=""; Version=1; Path=/cas; Secure; HttpOnly; Max-Age=0; Expires=Thu, > 01-Jan-1970 00:00:00 GMT; Comment="CAS Cookie" > > This is out of the box CAS v 6.6.14. > > -psv > > On Tuesday, January 2, 2024 at 10:31:58 AM UTC-6 Pablo Vidaurri wrote: > >> Hello, still struggling with getting Azure AD setup. Tried with both CAS >> 6.6.8 and 6.6.12. >> >> - I am able to display the button for delegated login >> - I get redirected to Azure when clicked >> - I am able to login with my AD credentials >> - I get redirected to my app with id_token query param which contains >> jwt of my user attributes >> - I can verify the id_token value using jwt.ms to view the decoded >> token. >> - I am able to see default casGenericSuccessView.html page with >> principal and user attributes from AD >> - But it does not look like a session is actually created. >> https://mydomain.com/security/actuator/sso returns a 400 >> >> This is not problem when I use ldap to authenticate. >> >> In my db, i see TransientSessionTicket and TicketGrantingTicket records >> being created. >> >> I have the following config: >> >> cas.authn.pac4j.oidc[0].azure.discovery-uri= >> https://login.microsoftonline.com/ >> <hidden>/v2.0/.well-known/openid-configuration >> cas.authn.pac4j.oidc[0].azure.id=<hidden> >> cas.authn.pac4j.oidc[0].azure.secret=<hidden> >> cas.authn.pac4j.oidc[0].azure.tenant=<hidden> >> cas.authn.pac4j.oidc[0].azure.mapped-claims.Email=upn >> >> cas.authn.pac4j.oidc[0].azure.enabled=true >> cas.authn.pac4j.oidc[0].azure.client-name=AzureAdClient >> cas.authn.pac4j.oidc[0].azure.display-name=Azure AD >> cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE >> cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER >> cas.authn.pac4j.oidc[0].azure.logout-url= >> https://login.microsoftonline.com/common/oauth2/logout >> cas.authn.pac4j.oidc[0].azure.use-nonce=true >> >> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=userId >> cas.authn.pac4j.oidc[0].azure.response-mode=form_post >> cas.authn.pac4j.oidc[0].azure.response-type=id_token >> cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email >> >> Any insight would be appreciated. >> -psv >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f773008b-8570-46c2-88d3-ec7371bda023n%40apereo.org.
