DEVHIDE
Login Or Sign up

CAS Delegated authentication SAML/OIDC

258 Views Asked by At

I'm trying to test a POC with CAS Delegated Authentication PAC4J.

The target Authentication flow is the following:

  1. Client requests access to SP (SAML client)
  2. SP redirects to my CAS Server (SAML IDP)
  3. CAS IDP displays the authentication methods (MENU)
  4. User selects oidcClient
  5. The oidc IDP displays the login page
  6. The authentication is accepted
  7. SP displays the secured ressource

The is no problem on the steps 1 to 6.

The 7th step does'nt work and CAS displays an error message (translated): "Application not authorized to use CAS... may be not registered application.."

The error message on the server is

ERROR [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Delegated client identifier cannot be located in the authentication request [http://localhost:8447/cas/login?code=kgh33f0wEwwRVIr-wS14uKjOFiJQGIv3oU_me-AKnEYZG&state=589160ah66&client_name=oidcFederation]>
ERROR [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <
    DefaultDelegatedClientAuthenticationWebflowManager.java:retrieveSessionTicketViaClientId:236
    DefaultDelegatedClientAuthenticationWebflowManager.java:retrieve:84
    DelegatedClientAuthenticationAction.java:restoreAuthenticationRequestInContext:285
>

The configuration is as the following :

cas.authn.pac4j.oidc[0].generic.type=GENERIC
cas.authn.pac4j.oidc[0].generic.useNonce=true
cas.authn.pac4j.oidc[0].generic.disable-pkce=true
cas.authn.pac4j.oidc[0].generic.scope=openid profile email
cas.authn.pac4j.oidc[0].generic.discovery-uri=https://{url}/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].generic.id={id}
cas.authn.pac4j.oidc[0].generic.secret={secret}
cas.authn.pac4j.oidc[0].generic.client-name=oidcFederation
cas.authn.pac4j.oidc[0].generic.principal-id-attribute=email
cas.authn.pac4j.oidc[0].generic.preferred-jws-algorithm=RS256
cas.authn.pac4j.oidc[0].generic.client-authentication-method=client_secret_basic
cas.authn.pac4j.oidc[0].generic.supported-client-authentication-methods=client_secret_basic,client_secret_post

The saml client is declared as the following:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "Example1",
  "name" : "example1",
  "theme" : "apereo",
  "id" :  10000322,
  "description" : "example1",
  "evaluationOrder" : 8,
  "metadataLocation" : "/etc/config/cas/clients/example1/metadata/example1_metadata.xml"
  }

in the log I can see :

ACTION: DELEGATED_CLIENT_SUCCESS
but after that it displays :
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
TRACE [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Resolved registered service from request can not be located>
....
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Getting key: [OIDC_CLIENT_ID]>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Fetched session id from context>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Session id not found as a request attribute; checking session cookie [DISSESSION]>

...
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Fetched session id: [null]>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Setting key: [OIDC_CLIENT_ID]>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Fetching session id...>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Fetched session id from context>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Session id not found as a request attribute; checking session cookie [DISSESSION]>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Fetched session id: [null]>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Generated session id: [c7feea76-035e-4311-8e4b-cc1c1e2cd698]>
[org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <Creating CAS cookie [DISSESSION]>
[org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <Marked cookie [DISSESSION] as secure as indicated by cookie configuration or the configured same-site policy set to []>
[org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <Adding cookie header as [DISSESSION=c7feea76-035e-4311-8e4b-cc1c1e2cd698; Path=/cas; SameSite=None; Secure; HttpOnly]>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Fetched session id from context>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <Fetched session id: [c7feea76-035e-4311-8e4b-cc1c1e2cd698]>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <fetching ticket: [TST-c7feea76-035e-4311-8e4b-cc1c1e2cd698]>
[org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket encryption is not enabled. Falling back to default behavior>
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket [TST-c7feea76-035e-4311-8e4b-cc1c1e2cd698] could not be found>
[org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket [TST-c7feea76-035e-4311-8e4b-cc1c1e2cd698] with type [TransientSessionTicket] cannot be found>
[org.apereo.cas.pac4j.DistributedJEESessionStore] - <null>

org.apereo.cas.ticket.InvalidTicketException: null
    at org.apereo.cas.ticket.registry.AbstractTicketRegistry.getTicket(AbstractTicketRegistry.java:76) ~[cas-server-core-tickets-api-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.pac4j.DistributedJEESessionStore.getTransientSessionTicketForSession(DistributedJEESessionStore.java:148) ~[cas-server-support-pac4j-api-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.pac4j.DistributedJEESessionStore.set(DistributedJEESessionStore.java:82) ~[cas-server-support-pac4j-api-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.getDelegatedClientIdFromSessionStore(DefaultDelegatedClientAuthenticationWebflowManager.java:282) ~[cas-server-support-pac4j-core-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.getDelegatedClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:259) ~[cas-server-support-pac4j-core-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:83) ~[cas-server-support-pac4j-core-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:285) ~[cas-server-support-pac4j-webflow-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205) ~[cas-server-support-pac4j-webflow-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$doExecute$0(DelegatedClientAuthenticationAction.java:123) ~[cas-server-support-pac4j-webflow-6.6.7.jar!/:6.6.7]
    at java.util.Optional.orElseGet(Optional.java:369) ~[?:?]

The initial ticket is not retreived. : <Putting ticket [TST-1-********qq90aBCwdjkQP7dAHix] in registry.>

openid-connect saml cas pac4j apereo
Original Q&A
0

There are 0 best solutions below

Related Questions in OPENID-CONNECT

Related Questions in SAML

Related Questions in CAS

Related Questions in PAC4J

Related Questions in APEREO

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.