Pablo, I am currently doing what you did. Per your first posting, you were able to display the button for delegated login.
Did you modify the login page to add the button? If so, can you share the HREF for the button? Of click event URL? Best, Doe On Friday, January 5, 2024 at 1:00:48 AM UTC-5 Pablo Vidaurri wrote: > To close on this issue. I found it was related to having to TGC cookies. > Stumbling across this post > <https://groups.google.com/u/1/a/apereo.org/g/cas-user/c/xsc-_CTMjvA>, I > see the same use case being an issue since 2021. I have users either login > into CAS login page directly which authenticates against LDAP or the user > clicks on a delegated login button (out of the box function via config) > which redirects them to Azure AD for authentication. It is when the user > clicks on the Azure AD button that I get two TGC and no session get created > on the browser. > > I've worked around this for now by commenting out this line from > *InitialFlowSetupAction*.java *configureWebflowForTicketGrantingTicket * > method. > clearTicketGrantingCookieFromContext(context, null); > > -psv > > On Tuesday, January 2, 2024 at 8:33:58 PM UTC-6 Pablo Vidaurri wrote: > >> It looks like TGC is getting clobbered. >> >> On redirect back to CAS with id_token: >> https://mydomain.com/cas/login?id_token= >> <REMOVED>&state=bfed6b9641&session_state=<REMOVE>&client_name=AzureAdClient >> >> I'm getting two TGC cookie values: >> TGC=<REMOVED>; Path=/cas; SameSite=None; Secure; HttpOnly >> LANGUAGE_OPTION=en; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 >> GMT >> TGC=""; Version=1; Path=/cas; Secure; HttpOnly; Max-Age=0; Expires=Thu, >> 01-Jan-1970 00:00:00 GMT; Comment="CAS Cookie" >> >> This is out of the box CAS v 6.6.14. >> >> -psv >> >> On Tuesday, January 2, 2024 at 10:31:58 AM UTC-6 Pablo Vidaurri wrote: >> >>> Hello, still struggling with getting Azure AD setup. Tried with both CAS >>> 6.6.8 and 6.6.12. >>> >>> - I am able to display the button for delegated login >>> - I get redirected to Azure when clicked >>> - I am able to login with my AD credentials >>> - I get redirected to my app with id_token query param which >>> contains jwt of my user attributes >>> - I can verify the id_token value using jwt.ms to view the decoded >>> token. >>> - I am able to see default casGenericSuccessView.html page with >>> principal and user attributes from AD >>> - But it does not look like a session is actually created. >>> https://mydomain.com/security/actuator/sso returns a 400 >>> >>> This is not problem when I use ldap to authenticate. >>> >>> In my db, i see TransientSessionTicket and TicketGrantingTicket records >>> being created. >>> >>> I have the following config: >>> >>> cas.authn.pac4j.oidc[0].azure.discovery-uri= >>> https://login.microsoftonline.com/ >>> <hidden>/v2.0/.well-known/openid-configuration >>> cas.authn.pac4j.oidc[0].azure.id=<hidden> >>> cas.authn.pac4j.oidc[0].azure.secret=<hidden> >>> cas.authn.pac4j.oidc[0].azure.tenant=<hidden> >>> cas.authn.pac4j.oidc[0].azure.mapped-claims.Email=upn >>> >>> cas.authn.pac4j.oidc[0].azure.enabled=true >>> cas.authn.pac4j.oidc[0].azure.client-name=AzureAdClient >>> cas.authn.pac4j.oidc[0].azure.display-name=Azure AD >>> cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE >>> cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER >>> cas.authn.pac4j.oidc[0].azure.logout-url= >>> https://login.microsoftonline.com/common/oauth2/logout >>> cas.authn.pac4j.oidc[0].azure.use-nonce=true >>> >>> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=userId >>> cas.authn.pac4j.oidc[0].azure.response-mode=form_post >>> cas.authn.pac4j.oidc[0].azure.response-type=id_token >>> cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email >>> >>> Any insight would be appreciated. >>> -psv >>> >> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8224c6ab-ff7f-4805-85ed-00da4d5204ebn%40apereo.org.
