Do you control the data in the remote IdP? If you do not control the remote data, how do you guarantee that the username returned is unique and not modifiable by the user? What would happen if the user entered a different username, johns, instead? If you just store the username as part of the login flow, any user with an Okta account could log in as one of your users.
You need to establish the remote / local relationship before the user logs in; then look up the local user with the remote username from Okta. There is this property to get the remote username [1]: Cas.authn.pac4j.saml[0].name-id-attribute Ray [1] https://apereo.github.io/cas/7.2.x/integration/Delegate-Authentication-SAML2.html ________________________________ From: [email protected] <[email protected]> on behalf of Yan Zhou <[email protected]> Sent: October 6, 2025 07:13 To: CAS Community <[email protected]> Subject: [cas-user] store-for-match-later in delegated authN Hello, CAS 7.2, delegated AuthN with SAML. In CAS screen where you enter username in order for CAS to locate the external IdP, the business problem I deal with is that the username in CAS is Different from that is in External IdP. For instance, I may enter username: johnsmith in CAS, it goes to Okta, but in Okta, user may enter their Okta username: jsmith. When SAML response comes back to CAS, I want CAS create a principal with the CAS username johnsmith (Not jsmith as Okta says), and with attributes from Okta jsmith user. There is one level of indirection here. How and where do I store the CAS username before CAS delegates to external Idp, and match it with response later on? The outbound delegation and inbound response are two different requests. thx! -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc344419-f41a-4b54-8ed9-84cc3e6649e0n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc344419-f41a-4b54-8ed9-84cc3e6649e0n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB00815F0573D587EBF9F1C36FCEE3A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
