Pablo, Could you have one cas and use localization https://apereo.github.io/cas/7.3.x/ux/User-Interface-Customization-Localization.html ?
There might be something on https://fawnoos.com/blog/ Ray ________________________________ From: [email protected] <[email protected]> on behalf of Pablo Vidaurri <[email protected]> Sent: February 18, 2026 12:09 To: CAS Community <[email protected]> Subject: [cas-user] CAS delegated login to another CAS instance I have CAS on my English website delegated to Azure EntraId. That is working fine. I also have CAS on my Chinese site also delegating login to Azure EntraId. Also working fine. But users complain why do they have to login twice, once for each domain. For Azure EntraId I pass in query param: prompt=login so that users for my service always have to login. Let's leave it like this. I am thinking, have my EN site continue to delegate to Azure but now have my CN CAS instance delegate to EN CAS instance. This way if no session exist on EN CAS only then will it delegate to Azure. If EN CAS session exist, then just return back to CN CAS and create my session on that domain too. I have this for my EN CAS delegation to be used for my CN site: cas.authn.pac4j.cas[0].login-url=https://my.en-site.com/cas/login cas.authn.pac4j.cas[0].protocol=CAS30 cas.authn.pac4j.cas[0].auto-redirect-type=NONE cas.authn.pac4j.cas[0].callback-url-type=PATH_PARAMETER cas.authn.pac4j.cas[0].client-name=DelegatedCasClient cas.authn.pac4j.cas[0].display-name=DelegatedCasClient cas.authn.pac4j.cas[0].principal-id-attribute=id cas.authn.pac4j.cas[0].callback-url=https://my.cn-site.com/cas/login And of course I have my azure oidc config, main piece: cas.authn.pac4j.oidc[0].generic.callback-url= https://my.en-site.com/cas/login cas.authn.pac4j.oidc[0].generic.client-name=EnAzureClient CN service file has this block: "delegatedAuthenticationPolicy": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", "allowedProviders": ["java.util.ArrayList", ["DelegatedCasClient":]], "permitUndefined": false, "exclusive": true } ENservice file has this block: "delegatedAuthenticationPolicy": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", "allowedProviders": ["java.util.ArrayList", ["EnAzureClient":]], "permitUndefined": false, "exclusive": true } This should conceptually work, correct? At the moment I am testing this on CAS v6.6.15.1 (I'm in the middle of a CAS 7.3 upgrade). But I am getting an error: [ERROR org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager](default task-4) Delegated client identifier cannot be located in the authentication request [https://my.en-site.com/cas/login?ticket=ST-1-XXXX&lang_cd=en&client_name=DelegatedCasClient Looking at the class, it looks like its just trying to fetch the ticket from the registry. Is there a better way to do this? -psv -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2442ba2a-cf2f-4cfb-bc62-21f3dde48034n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2442ba2a-cf2f-4cfb-bc62-21f3dde48034n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB00815CD24A6C36EE99D5F610CE6AA%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
