from:"kyra1510"

[cas-user] CAS 5.3.8 + OIDC + PAC4J SAML2 problem claim

2019-02-28 Thread kyra1510

Hi all,

I have a problem with CAS 5.3.8 when I tried to connect to two services 
with the same browser.

I explain my problem below.

I have one OIDC apereo where I delegate the authentication (with pac4j) to 
a SAML2 IDP.

I have two OIDC services:
service1 which releases the claims claim1 and claim2 and service1 have sub1
service2 which releases the claims claim2 and claim3 and service2 have sub2

The first connection works fine:
- I connect to the OIDC apereo 
https://apereo.oidc.fr/oidc/authorize?response_type=code_id=service1.clientId_uri=service1.serviceId=openid
 
toto (toto is a custom scope)
- After I choose the IDP SAML2 for the delegated authentication
- I enter the username and password to log in
- Then I am redirected to the apereo OIDC to the page where I can confirm 
service is authorized to have access to the claim claim1 and claim2 
When I called the profile endpoint, I have claim1 and claim2 and sub1
The user have sub1

However the second connection is problematic
- I connect to the OIDC apereo with service2 
https://apereo.oidc.fr/oidc/authorize?response_type=code_id=service2.clientId_uri=service2.serviceId=openid
- The user is the same to the apereo IDP SAML2
- I am not redirected to the consent page where I can confirm the claim 
- But I gain an authorizatrion code
When I called the profile endpoint, I have claim1 and claim2 and sub1.
In the usual case, I should have claim2 and claim3 and sub2.   
It is not the service2 definition but the service1 definition.

If I remove the cookies JSESSIONID and TGC, everything works fine.

Thanks for any help,
Kyra

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/80a17f3e-6184-4312-8b58-0f67110a71aa%40apereo.org.

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-14 Thread kyra1510

Hi all,

I upgrade my CAS version 5.2.7 to 5.2.8 and everything is working fine.

Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it 
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x 
>
> When I use the OIDC authentication without delegation, the workflow is 
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML  
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page 
> service?ticket=ST-x 
> <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxx
>  
> and I have a code 302
>
>
> I found this issue in the github which seems to correspond to my problem 
> https://github.com/apereo/cas/pull/3664.
> It describe the same issue in CAS 5.3.x in the SAML2 protocol before the 
> bug was fixed. It didn't concern the delegation.
> Could it be this problem is related to my issue?
>
> Thanks for any help.
>
> Kyra
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1fa4db08-3d34-4042-a1e9-8a3443556fd3%40apereo.org.

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-13 Thread kyra1510

Any help?
I don't know where is the problem.

Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it 
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x 
>
> When I use the OIDC authentication without delegation, the workflow is 
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML  
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page 
> service?ticket=ST-x 
> <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxx
>  
> and I have a code 302
>
>
> I found this issue in the github which seems to correspond to my problem 
> https://github.com/apereo/cas/pull/3664.
> It describe the same issue in CAS 5.3.x in the SAML2 protocol before the 
> bug was fixed. It didn't concern the delegation.
> Could it be this problem is related to my issue?
>
> Thanks for any help.
>
> Kyra
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0151f25-c356-43eb-a886-feb7373cdce5%40apereo.org.

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-08 Thread kyra1510

The logs following for OIDC flow:

2019-02-08 11:46:26,662 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
artifactId=null, principal=userPseudo, source=service, 
loggedOutAlready=false, format=XML, attributes={})]>

 

2019-02-08 11:46:26,702 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
artifactId=null, principal=userPseudo, source=service, 
loggedOutAlready=false, format=XML, attributes={})]>

 

2019-02-08 11:46:26,703 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
artifactId=null, principal=userPseudo, source=service, 
loggedOutAlready=false, format=XML, attributes={})] via event [redirect]>

 

2019-02-08 11:46:27,055 DEBUG 
[org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - 

2019-02-08 11:46:27,055 DEBUG 
[org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - 

2019-02-08 11:46:27,055 DEBUG 
[org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - 

2019-02-08 11:46:27,056 DEBUG 
[org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - 
https://idp-oidc.fr/p3/serviceValidate?ticket=ST-1-***idp-oidc.fr=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Dservice.clientId%26redirect_uri%3Dservice.redirect_uri%26response_type%3Dcode%26client_name%3DCasOAuthClient
>

2019-02-08 11:46:27,056 DEBUG 
[org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - 

2019-02-08 11:46:27,227 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

 

2019-02-08 11:46:27,246 DEBUG 
[org.apereo.cas.web.AbstractServiceValidateController] - 

2019-02-08 11:46:27,246 DEBUG 
[org.apereo.cas.web.AbstractServiceValidateController] - 

2019-02-08 11:46:27,246 DEBUG 
[org.apereo.cas.web.AbstractServiceValidateController] - 

2019-02-08 11:46:27,246 DEBUG 
[org.apereo.cas.web.AbstractServiceValidateController] - https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient
]>

2019-02-08 11:46:27,254 DEBUG [org.apereo.cas.web.view.Cas20ResponseView] - 


2019-02-08 11:46:27,255 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - 


2019-02-08 11:46:27,255 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - 


2019-02-08 11:46:27,255 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - 


2019-02-08 11:46:27,256 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - 


2019-02-08 11:46:27,256 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - 


2019-02-08 11:46:27,256 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - 


2019-02-08 11:46:27,256 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- 

2019-02-08 11:46:27,286 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- urn:oasis:names:tc:SAML:1.0:am:password]>

2019-02-08 11:46:27,286 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- UsernamePasswordCredential]>

2019-02-08 11:46:27,286 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- true]>

2019-02-08 11:46:27,286 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- 2019-02-08T11:46:26.544+01:00[Europe/Paris]]>

2019-02-08 11:46:27,286 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- AcceptUsersAuthenticationHandler]>

2019-02-08 11:46:27,286 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- AcceptUsersAuthenticationHandler]>

2019-02-08 11:46:27,286 DEBUG 
[org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] 
- false]>

 

2019-02-08 11:46:27,310 DEBUG 
[org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - 



userPseudo



  allUserAttributesAllowed

 





>

2019-02-08 11:46:27,391 WARN 
[org.apereo.cas.oidc.web.controllers.OidcAuthorizeEndpointController] - 


2019-02-08 11:46:27,394 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

 

>

2019-02-08 11:46:27,394 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-08 Thread kyra1510



All logs normal OIDC flow


2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,864 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 11:44:30,864 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 11:44:30,867 DEBUG 
[org.apereo.cas.web.flow.login.InitializeLoginAction] - 

2019-02-08 11:44:30,867 DEBUG 
[org.apereo.cas.web.flow.login.InitializeLoginAction] - 

 

2019-02-08 11:44:30,982 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:44:30,983 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:44:30,984 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:44:30,984 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://id

p-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasO

AuthClient, artifactId=null, principal=null, source=service, 
loggedOutAlready=false, format=XML, attributes={})] from the request 
context>

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientName_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://id

oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientID_uri=service.redirect_uri_type=code_name=CasO

AuthClient, artifactId=null, principal=null, source=service, 
loggedOutAlready=false, format=XML, attributes={})] from the request 
context>

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

 

2019-02-08 11:46:26,282 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,282 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,319 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,319 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,322 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,322 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,322 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,350 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 11:46:26,350 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

 

2019-02-08 11:46:26,355 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 
- https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
artifactId=null, principal=null, source=service, loggedOutAlready=false, 
format=XML, attributes={})] in service registry to determine authentication 
policy>

 

2019-02-08 11:46:26,355 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 
- 

 

2019-02-08 11:46:26,355 DEBUG

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-08 Thread kyra1510

Here my logs for normal OIDC flow:

2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,863 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:44:30,864 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 11:44:30,864 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 11:44:30,867 DEBUG 
[org.apereo.cas.web.flow.login.InitializeLoginAction] - 

2019-02-08 11:44:30,867 DEBUG 
[org.apereo.cas.web.flow.login.InitializeLoginAction] - 

 

2019-02-08 11:44:30,982 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:44:30,983 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:44:30,984 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:44:30,984 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,280 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://id

p-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasO

AuthClient, artifactId=null, principal=null, source=service, 
loggedOutAlready=false, format=XML, attributes={})] from the request 
context>

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientName_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://id

oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientID_uri=service.redirect_uri_type=code_name=CasO

AuthClient, artifactId=null, principal=null, source=service, 
loggedOutAlready=false, format=XML, attributes={})] from the request 
context>

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

2019-02-08 11:46:26,281 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 

 

2019-02-08 11:46:26,282 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,282 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-08 11:46:26,319 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,319 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,322 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,322 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,322 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 

2019-02-08 11:46:26,350 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 11:46:26,350 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

 

2019-02-08 11:46:26,355 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 
- https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId_uri=service.redirect_uri_type=code_name=CasOAuthClient,
 
artifactId=null, principal=null, source=service, loggedOutAlready=false, 
format=XML, attributes={})] in service registry to determine authentication 
policy>

 

2019-02-08 11:46:26,355 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 
- 

 

2019-02-08 11:46:26,355 DEBUG

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-08 Thread kyra1510

10:16:45,695 DEBUG 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - 


2019-02-08 10:16:45,696 DEBUG 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - 


2019-02-08 10:16:45,696 DEBUG 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - 


2019-02-08 10:16:45,696 DEBUG 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - 


2019-02-08 10:16:45,696 DEBUG 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - 


2019-02-08 10:16:45,705 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 10:16:45,731 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 10:16:45,731 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

 

2019-02-08 10:16:45,733 DEBUG 
[org.apereo.cas.web.flow.DefaultSingleSignOnParticipationStrategy] - 


 

2019-02-08 10:16:45,734 DEBUG 
[org.apereo.cas.web.flow.login.SendTicketGrantingTicketAction] - 

 

2019-02-08 10:16:45,737 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - 

 

2019-02-08 10:16:45,737 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - 

 

2019-02-08 10:16:45,745 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - 

 

2019-02-08 10:16:45,746 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - 

 

2019-02-08 10:16:45,750 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-02-08 10:16:45,775 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

 

2019-02-08 10:16:45,780 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - 

 

2019-02-08 10:16:45,781 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 

 

2019-02-08 10:16:45,781 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 

 

2019-02-08 10:16:45,782 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 

 

2019-02-08 10:16:45,787 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 

 

2019-02-08 10:16:45,787 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 


I don't know when the error occured. I will publish the logs about OIDC 
authentication later


Thanks for your help,

Kyra

Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it 
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x 
>
> When I use the OIDC authentication without delegation, the workflow is 
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML  
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page 
> service?ticket=ST-x 
> <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxx
>  
> and I have a code 302
>
>
> I found this issue in the github which seems to correspond to my problem 
> https://github.com/apereo/cas/pull/3664.
> It describe the same issue in CAS 5.3.x in the SAML2 protocol before the 
> bug was fixed. It didn't concern the delegation.
> Could it be this problem is related to my issue?
>
> Thanks for any help.
>
> Kyra
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d40d599d-c2c7-40c6-8ade-69d1e0d9c60e%40apereo.org.

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-07 Thread kyra1510

When I wrote service, I mean myService (the redirect_uri). Sorry for the 
trouble

Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it 
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x 
>
> When I use the OIDC authentication without delegation, the workflow is 
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML  
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page 
> service?ticket=ST-x 
> <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxx
>  
> and I have a code 302
>
>
> I found this issue in the github which seems to correspond to my problem 
> https://github.com/apereo/cas/pull/3664.
> It describe the same issue in CAS 5.3.x in the SAML2 protocol before the 
> bug was fixed. It didn't concern the delegation.
> Could it be this problem is related to my issue?
>
> Thanks for any help.
>
> Kyra
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/692a39a1-0f5a-410f-9773-473c05b7f532%40apereo.org.

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-07 Thread kyra1510

Hi Andy,

Thanks for looking my problem.
I'm not sure the problem is the OIDC authentication protocol.

Here are my tomcat logs (I anonymise my logs):

The IDP OIDC is the CAS 5.3.7 OIDC and the IDP SAML2 is the IDP where I 
delegate the authentication

*LOG tomcat about the authentication OIDC without delegation SAML2*

 

[07/Feb/2019:09:02:44 +0100] ip GET 
/oidc/authorize?response_type=code_id=clientId_uri=service

pe==af0ifjsldkj_values=test HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
302 5 451

 

[07/Feb/2019:09:02:48 +0100] ip GET 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien

t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
HTTP/1.1 ?service=https

%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
200 12090 2211

 

[07/Feb/2019:09:17:51 +0100] ip POST 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
HTTP/1.1 
?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
302 - 427

 

[07/Feb/2019:09:17:53 +0100] ip GET 
/p3/serviceValidate?ticket=ST-1-xxidp-oidc.fr=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
HTTP/1.1 
?ticket=ST-1-xxidp-oidc.fr=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
200 960 117

 

[07/Feb/2019:09:17:53 +0100] ip GET 
/oauth2.0/callbackAuthorize?client_id=clientId_uri=service_values=test_type=code_name=CasOAuthClient=ST-1-xxxAidp-oidc.fr
 
HTTP/1.1 
?client_id=clientId_uri=service_values=test_type=code_name=CasOAuthClient=ST-1-xxAidp-oidc.fr
 
302 - 345

[07/Feb/2019:09:17:54 +0100] 10.35.103.12 GET 
/oidc/authorize?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
200 2563 75

 

*LOG tomcat about the authentication OIDC with delegation SAML2*

 

[07/Feb/2019:09:25:17 +0100] ip GET 
/oidc/authorize?response_type=code_id=clientId_uri=service

pe==af0ifjsldkj_values=test HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
302 5 11

 

[07/Feb/2019:09:25:18 +0100] ip GET 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien

t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
HTTP/1.1 ?service=https

%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
200 8909 138

 

[07/Feb/2019:09:30:38 +0100] ip GET 
/clientredirect?client_name=IDP-SAML2=service HTTP/1.1 
?client_name=SAML2=service 302 - 393

 

[07/Feb/2019:09:32:27 +0100] ip POST /login?client_name=IDP-SAML HTTP/1.1 
?client_name=clientId 302 - 247

 

[07/Feb/2019:09:32:28 +0100] 10.35.103.12 GET 
service?ticket=ST-2-x HTTP/1.1 
?ticket=ST-2-xxidp-oidc 404 2343 128

I see that during the OIDC authentication without delegation SAML2 the 
p3/serviceValidate is called but not with the delegation SAML2.
I think the problem occured when the IDP-SAML2 send the response to the 
IDP-OIDC. 

Thanks for your help

Kyra

Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it 
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x 
>
> When I use the OIDC authentication without delegation, the workflow is 
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML  
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page 
> service?ticket=ST-x 
> <https://idp-auth.poc-mobilite.test-gar.education.fr

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-07 Thread kyra1510

Hi Andy,

Thanks for looking my problem.
I'm not sure the problem is the OIDC authentication protocol.

Here are my tomcat logs (I anonymise my logs):

The IDP OIDC is the CAS 5.3.7 OIDC and the IDP SAML2 is the IDP where I 
delegate the authentication

*LOG tomcat about the authentication OIDC without delegation SAML2*

 

[07/Feb/2019:09:02:44 +0100] ip GET 
/oidc/authorize?response_type=code_id=clientId_uri=service

pe==af0ifjsldkj_values=test HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
302 5 451

 

[07/Feb/2019:09:02:48 +0100] ip GET 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien

t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
HTTP/1.1 ?service=https

%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
200 12090 2211

 

[07/Feb/2019:09:17:51 +0100] ip POST 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
HTTP/1.1 
?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
302 - 427

 

[07/Feb/2019:09:17:53 +0100] ip GET 
/p3/serviceValidate?ticket=ST-1-xxidp-oidc.fr=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
HTTP/1.1 
?ticket=ST-1-xxidp-oidc.fr=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
200 960 117

 

[07/Feb/2019:09:17:53 +0100] ip GET 
/oauth2.0/callbackAuthorize?client_id=clientId_uri=service_values=test_type=code_name=CasOAuthClient=ST-1-xxxAidp-oidc.fr
 
HTTP/1.1 
?client_id=clientId_uri=service_values=test_type=code_name=CasOAuthClient=ST-1-xxAidp-oidc.fr
 
302 - 345

[07/Feb/2019:09:17:54 +0100] 10.35.103.12 GET 
/oidc/authorize?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
200 2563 75

 

*LOG tomcat about the authentication OIDC with delegation SAML2*

 

[07/Feb/2019:09:25:17 +0100] ip GET 
/oidc/authorize?response_type=code_id=clientId_uri=service

pe==af0ifjsldkj_values=test HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
302 5 11

 

[07/Feb/2019:09:25:18 +0100] ip GET 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien

t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
HTTP/1.1 ?service=https

%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
200 8909 138

 

[07/Feb/2019:09:30:38 +0100] ip GET 
/clientredirect?client_name=IDP-SAML2=service HTTP/1.1 
?client_name=SAML2=service 302 - 393

 

[07/Feb/2019:09:32:27 +0100] ip POST /login?client_name=IDP-SAML HTTP/1.1 
?client_name=clientId 302 - 247

 

[07/Feb/2019:09:32:28 +0100] 10.35.103.12 GET 
service?ticket=ST-2-x HTTP/1.1 
?ticket=ST-2-xxidp-oidc 404 2343 128

I see that during the OIDC authentication without delegation SAML2 the 
p3/serviceValidate is called but not with the delegation SAML2.
I think the problem occured when the IDP-SAML2 send the response to the 
IDP-OIDC. 


Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it 
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x 
>
> When I use the OIDC authentication without delegation, the workflow is 
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML  
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page 
> service?ticket=ST-x 
> <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.ope

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-07 Thread kyra1510

Hi Andy,

Thanks for looking my problem.
I don't believe the problem here concern the OIDC authentication because 
without delegation everything is working fine.
The problem occured when the IDP SAML2 send the response to continue the 
workflow OIDC.

I add my tomcat logs:
[07/Feb/2019:09:32:27 +0100] 10.35.103.12 POST 
/login?client_name=IDP-ENT-test-dev3 HTTP/1.1 
?client_name=IDP-ENT-test-dev3 302 - 247
[07/Feb/2019:09:32:28 +0100] 10.35.103.12 GET 
/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-2-g39DHh3ccg9ysMHPowqL62jCSJAidp-auth.poc-mobilite.test-gar.education.fr
 
HTTP/1.1 
?ticket=ST-2-g39DHh3ccg9ysMHPowqL62jCSJAidp-auth.poc-mobilite.test-gar.education.fr
 
404 2343 128

* LOG tomcat about the authentication OIDC without delegation SAML2*

 

[07/Feb/2019:09:02:44 +0100] ip GET 
/oidc/authorize?response_type=code_id=clientId_uri=service

pe==af0ifjsldkj_values=test HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
302 5 451

 

[07/Feb/2019:09:02:48 +0100] ip GET 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien

t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
HTTP/1.1 ?service=https

%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
200 12090 2211

 

[07/Feb/2019:09:17:51 +0100] ip POST 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
HTTP/1.1 
?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
302 - 427

 

[07/Feb/2019:09:17:53 +0100] ip GET 
/p3/serviceValidate?ticket=ST-1-xxidp-oidc.fr=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
HTTP/1.1 
?ticket=ST-1-xxidp-oidc.fr=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient
 
200 960 117

 

[07/Feb/2019:09:17:53 +0100] ip GET 
/oauth2.0/callbackAuthorize?client_id=clientId_uri=service_values=test_type=code_name=CasOAuthClient=ST-1-xxxAidp-oidc.fr
 
HTTP/1.1 
?client_id=clientId_uri=service_values=test_type=code_name=CasOAuthClient=ST-1-xxAidp-oidc.fr
 
302 - 345

[07/Feb/2019:09:17:54 +0100] 10.35.103.12 GET 
/oidc/authorize?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
200 2563 75

 

*LOG tomcat about the authentication OIDC with delegation SAML2*

 

[07/Feb/2019:09:25:17 +0100] ip GET 
/oidc/authorize?response_type=code_id=clientId_uri=service

pe==af0ifjsldkj_values=test HTTP/1.1 
?response_type=code_id=clientId_uri=service==af0ifjsldkj_values=test
 
302 5 11

 

[07/Feb/2019:09:25:18 +0100] ip GET 
/login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien

t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
HTTP/1.1 ?service=https

%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode
 
200 8909 138

 

[07/Feb/2019:09:30:38 +0100] ip GET 
/clientredirect?client_name=IDP-SAML2=service HTTP/1.1 
?client_name=SAML2=service 302 - 393

 

[07/Feb/2019:09:32:27 +0100] ip POST /login?client_name=IDP-SAML HTTP/1.1 
?client_name=clientId 302 - 247

 

[07/Feb/2019:09:32:28 +0100] ip GET 
service?ticket=ST-2-x HTTP/1.1 
?ticket=ST-2-xxidp-oidc 404 2343 128

In the OIDC authentication without SAML2, the /p3/serviceValidate is called 
but not with the delegation SAML2

Thanks for your help

Kyra

PS: I need to anonymise my logs

Le jeudi 7 février 2019 04:01:35 UTC+1, Andy Ng a écrit :
>
> Hi Kyra,
>
> After reading your problem and if I am not mistaken, I think your problem 
> is mostly *not related* to https://github.com/apereo/cas/pull/3664 (I 
> will reference it as #3664 ), hence studying the fix from #3664 most likely 
> won't help you.
>
> In #3664,   the problem occurs when using SAML 2 authentication with 
> attribute 
> consent, and no additional delegation is involved.
> In your case, the problem occurs when using OIDC authentication with OAuth 
> consent, and there is SAML 2 delegation used.
>
> As you can see from the color, the triggers for the above 2 issues are 
> very different, so looking at #3664 are likely not going to give your

[cas-user] CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

2019-02-05 Thread kyra1510

Hy all,

I apologize for my French English.

I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
delegation.
My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it is 
possible to delegate the authentication to an IDP SAML2.
I have no problem with the delegation in CAS 5.2.x 

When I use the OIDC authentication without delegation, the workflow is 
correct.
Workflow:
1 The user enter its password and login in the authentication page
2 The user is redirect to a consent page
3 When click on the button "allow", an authorization code is returned

But when I use the SAML2 delegation, I am not redirect to the consent page:
1 The user click on the button which redirect to the correct IDP
2 The user logged on the IDP SAML  
3 After the user is returned to my CAS 5.3.7 and arrived on the page 
service?ticket=ST-x 
xxx
 
and I have a code 302


I found this issue in the github which seems to correspond to my 
problem https://github.com/apereo/cas/pull/3664.
It describe the same issue in CAS 5.3.x in the SAML2 protocol before the 
bug was fixed. It didn't concern the delegation.
Could it be this problem is related to my issue?

Thanks for any help.

Kyra

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/266a8093-f4d3-4ffa-bfea-1d071d595933%40apereo.org.

[cas-user] CAS 5.3.8 + OIDC + PAC4J SAML2 problem claim

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[cas-user] CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

12 matches

Site Navigation

Mail list logo

Footer information