This is not an localization issue, I know I probably made it confusing mentioning EN and CN domains.
Just assume I have two cas instances deployed on 2 domains on two different servers, one only having the delegated cas config. I have tested this and I can get it to work. CAS server 2 delegates to CAS server 1 and if no session on CAS server 1 then delegate to EntraId. Then finally session is created on CAS server 1 and then redirects to CAS server 2 which then also creates the session. Now to add a bit of complexity: these two domains resolve to different IPs but route to the same physical server ... So I really have 2 domain running off the same CAS instance. mysite1.com/cas/login and mysite2/cas/login hit the same cas instance using the same cas config. As you can image cookies and tickets are tied to the respective host. Now when the first domain delegates the 2nd domain, the cas client name ( cas.authn.pac4j.cas[0].client-name=DelegatedCasClient) is sent along. But when the primary CAS server delegates to EntraId and returns with JWT, the CAS server complains of ticket not found because it picks up the cas-client which does not belong to it, instead it belongs to the secondary CAS server. Maybe there is no way around this but to either have two seperate instances running with different configs or customizing a class to ignore the cas-client on the primary cas instance. -psv On Wednesday, February 18, 2026 at 4:29:29 PM UTC-6 Ray Bon wrote: > Pablo, > > Could you have one cas and use localization > https://apereo.github.io/cas/7.3.x/ux/User-Interface-Customization-Localization.html > ? > > There might be something on https://fawnoos.com/blog/ > > Ray > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of Pablo > Vidaurri <[email protected]> > *Sent:* February 18, 2026 12:09 > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] CAS delegated login to another CAS instance > > I have CAS on my English website delegated to Azure EntraId. That is > working fine. > I also have CAS on my Chinese site also delegating login to Azure EntraId. > Also working fine. > > But users complain why do they have to login twice, once for each domain. > For Azure EntraId I pass in query param: prompt=login so that users for my > service always have to login. Let's leave it like this. > > I am thinking, have my EN site continue to delegate to Azure but now have > my CN CAS instance delegate to EN CAS instance. This way if no session > exist on EN CAS only then will it delegate to Azure. If EN CAS session > exist, then just return back to CN CAS and create my session on that domain > too. > > I have this for my EN CAS delegation to be used for my CN site: > cas.authn.pac4j.cas[0].login-url=https://my.*en-site*.com/cas/login > cas.authn.pac4j.cas[0].protocol=CAS30 > cas.authn.pac4j.cas[0].auto-redirect-type=NONE > cas.authn.pac4j.cas[0].callback-url-type=PATH_PARAMETER > cas.authn.pac4j.cas[0].client-name=DelegatedCasClient > cas.authn.pac4j.cas[0].display-name=DelegatedCasClient > cas.authn.pac4j.cas[0].principal-id-attribute=id > cas.authn.pac4j.cas[0].callback-url=https://my.*cn-site*.com/cas/login > > And of course I have my azure oidc config, main piece: > cas.authn.pac4j.oidc[0].generic.callback-url= https://my.*en-site* > .com/cas/login > cas.authn.pac4j.oidc[0].generic.client-name=EnAzureClient > > CN service file has this block: > > "delegatedAuthenticationPolicy": { > "@class": > "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", > "allowedProviders": ["java.util.ArrayList", ["*DelegatedCasClient* > ":]], > "permitUndefined": false, > "exclusive": true > } > > ENservice file has this block: > > "delegatedAuthenticationPolicy": { > "@class": > "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", > "allowedProviders": ["java.util.ArrayList", ["*EnAzureClient*":]], > "permitUndefined": false, > "exclusive": true > } > > This should conceptually work, correct? At the moment I am testing this on > CAS v6.6.15.1 (I'm in the middle of a CAS 7.3 upgrade). But I am getting an > error: > > [ERROR > org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager](default > > task-4) Delegated client identifier cannot be located in the authentication > request [https://my.*en-site* > .com/cas/login?ticket=ST-1-XXXX&lang_cd=en&client_name= > *DelegatedCasClient* > > Looking at the class, it looks like its just trying to fetch the ticket > from the registry. > > Is there a better way to do this? > -psv > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2442ba2a-cf2f-4cfb-bc62-21f3dde48034n%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2442ba2a-cf2f-4cfb-bc62-21f3dde48034n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0caca3a8-10c2-4c2c-9753-35ed4dec3af4n%40apereo.org.
