Hello Pablo, Here is what I have configured for my SAML Auth against Azure EntraID. I do have the client-name set, but I do not have some of the other options:
cas.authn.pac4j.saml[0].clientName=TAMUCC_AAD cas.authn.pac4j.saml[0].keystore-password=PASS cas.authn.pac4j.saml[0].private-key-password=PASS cas.authn.pac4j.saml[0].keystore-path=file:/etc/cas/saml/saml_keystore.jks cas.authn.pac4j.saml[0].service-provider-entity-id=login-test.tamucc.edu cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location=file:/etc/cas/saml/login-test_sp_metadata.xml cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path=https://login.microsoftonline.com/METADATA_HERE cas.authn.pac4j.saml[0].maximum-authentication-lifetime=7776000 cas.authn.pac4j.saml[0].use-name-qualifier=false I'll see if I can add a few of the missing configs. Phil On Tuesday, March 25, 2025 at 10:03:27 PM UTC-5 Pablo Vidaurri wrote: > It looks like maybe you are missing a config property. There are many > various OIDC configs depending on the flavor you are using (Azure, > generic, google, etc). For example, I'm using generic oidc and these some > of these are the properties I have defined: > cas.authn.pac4j.oidc[0].generic.enabled=true > cas.authn.pac4j.oidc[0].generic.use-nonce=true > cas.authn.pac4j.oidc[0].generic.client-name=myClient > cas.authn.pac4j.oidc[0].generic.include-access-token-claims=true > cas.authn.pac4j.oidc[0].generic.response-type=id_token > cas.authn.pac4j.oidc[0].generic.discovery-uri=zzzzz > cas.authn.pac4j.oidc[0].generic.id=yyyyy > cas.authn.pac4j.oidc[0].generic.secret=xxxxx > cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER > cas.authn.pac4j.oidc[0].generic.callback-url-type=PATH_PARAMETER > cas.authn.pac4j.oidc[0].generic.callback-url=${cas.server.prefix}/login > > Do you have a client-name defined that is matching the client name you > provided in your service file? I myself have auto-redirect-type set to > SERVER so that I do not have to define a delegation in my service files but > with my use case I need all clients to go to the same OIDC idp. > > Also, you can review code to see what is causing log messages to display. > For example, in your log you have this message "could not find flow > definition" that AbstractCasWebflowConfigurer is displaying. You can look > for the class such as (you many need a github acct to search) > > https://github.com/apereo/cas/blob/74ca3f1b3ee06af7fbb15dfc6080fb859623b188/core/cas-server-core-webflow-api/src/main/java/org/apereo/cas/web/flow/configurer/AbstractCasWebflowConfigurer.java#L97 > Select the version of cas you are using, and search for the string. You'll > see it on line 681. It appears to me that register is not null but the flow > def in is not found. Again, maybe double check your config. > > > On Monday, March 24, 2025 at 12:53:20 PM UTC-5 Phil Hale wrote: > >> All, >> >> I switched the log to debug mode and got the following information on the >> failure: >> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,248 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit >> trail record BEGIN >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: >> ============================================================= >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHEN: >> 2025-03-24T17:04:37.243024734 >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHO: >> audit:unknown >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHAT: >> {result=Service Access Granted, service= >> https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient, >> >> requiredAttributes={}} >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: ACTION: >> SERVICE_ACCESS_ENFORCEMENT_TRIGGERED >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: CLIENT_IP: >> 192.168.155.189 >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: SERVER_IP: >> 0:0:0:0:0:0:0:1 >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: >> ============================================================= >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: > >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,256 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - >> <Mapped to [FlowHandlerMapping.DefaultFlowHandler@577337d8]> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,259 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - >> <Configuring CAS webflow execution plan...> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,315 DEBUG >> [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - >> <[OidcWebflowConfigurer] could not find flow definition [account]. >> Available flow definition ids are [[clientredirect, login]]> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,438 WARN [jakarta.persistence.spi] - <jakarta.persistence.spi::No >> valid providers found.> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,494 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - >> <Setting path for cookies for warn cookie generator to: [/cas/]> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,494 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - >> <Setting path for cookies for TGC cookie generator to: [/cas/]> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,496 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - >> <Placing service in context scope: [ >> https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient >> ]> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,498 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - >> <Placing registered service >> [https\:\/\/idm\-cas\-mgr\-test\.tamucc\.edu\/.*] with id [1617150001173] >> in context scope> >> Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:37,502 DEBUG >> [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] >> >> - <Evaluating authentication policy >> [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], >> >> excludedAuthenticationHandlers=[], criteria=null)] for >> [CAS_Management_Test]> >> Mar 24 12:04:39 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:39,720 DEBUG [org.apereo.cas.support.saml.DefaultOpenSamlConfigBean] >> - <Initialized OpenSaml successfully.> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,012 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - >> <Using pre-defined signing key to use for >> [cas.authn.oauth.session-replication.cookie.crypto.signing.key]> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,012 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - >> <Using pre-defined encryption key to use for >> [cas.authn.oauth.session-replication.cookie.crypto.encryption.key]> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,087 DEBUG [org.apereo.cas.logout.DefaultLogoutExecutionPlan] - >> <Registering logout handler >> [DelegatedAuthenticationEventExecutionPlanConfiguration$DelegatedAuthenticationEventExecutionPlanLogoutConfiguration$$Lambda/0x00007fabc531f1c8]> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,087 DEBUG [org.apereo.cas.logout.DefaultLogoutExecutionPlan] - >> <Registering logout handler >> [CasOAuth20Configuration$CasOAuth20LogoutConfiguration$$Lambda/0x00007fabc531f428]> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,249 DEBUG >> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - >> <Setting path for cookies for distributed session cookie generator to: >> [/cas/]> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,259 DEBUG >> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - >> <Resolved single event [success] via >> [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] >> >> for this context> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,262 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit >> trail record BEGIN >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: >> ============================================================= >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHEN: >> 2025-03-24T17:04:40.261826275 >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHO: >> audit:unknown >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHAT: >> {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, >> event=success, url= >> https://login-test.tamucc.edu/cas/login?service=https%3A%2F%2Fidm-cas-mgr-test.tamucc.edu%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient, >> >> timestamp=2025-03-24T17:04:40.259} >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: ACTION: >> AUTHENTICATION_EVENT_TRIGGERED >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: CLIENT_IP: >> 192.168.155.189 >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: SERVER_IP: >> 0:0:0:0:0:0:0:1 >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: >> ============================================================= >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: > >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,309 DEBUG >> [org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction] - <Found >> registered service [https\:\/\/idm\-cas\-mgr\-test\.tamucc\.edu\/.*] from >> the context> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,548 DEBUG >> [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] >> >> - <Initialized context with request parameters [{service=[ >> https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient]} >> ]> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,548 DEBUG >> [org.apereo.cas.support.pac4j.authentication.clients.BaseDelegatedIdentityProviderFactory] >> >> - <Builder [DelegatedClientOidcBuilder] provides [0] clients> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,549 DEBUG >> [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedIdentityProviders] >> >> - <The following clients are built: [[]]> >> Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 >> 12:04:40,550 WARN >> [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] >> >> - <No delegated authentication providers could be determined based on the >> provided configuration. Either no identity providers are configured, or the >> current access strategy rules prohibit CAS from using authentication >> providers> >> >> I'm not seeing much in the logs to help me determine the issue, but it's >> the same error as before. >> >> Phil >> >> On Friday, March 21, 2025 at 11:23:23 AM UTC-5 Richard Frovarp wrote: >> >>> You're going to have to read through the documentation for Hazelcast to >>> see what matches your needs. Most of the time in the past, upgrades are >>> reimplementations. It is unfortunately a lot of work. OpenRewrite is >>> supposed to help that from the best I know. I don't know if it will work >>> until you get to 7.1 though. I haven't used it yet. >>> https://apereo.github.io/cas/7.1.x/installation/OpenRewrite-Upgrade-Recipes.html >>> >>> On 3/20/25 13:47, Phil Hale wrote: >>> >>> I added the missing dependency and restarted the services and I'm still >>> getting the same warning in the logs: >>> >>> 2025-03-20 13:15:27,445 WARN >>> [com.hazelcast.instance.impl.HazelcastInstanceFactory] - <Hazelcast is >>> starting in a Java modular environment (Java 9 and newer) but without >>> proper access to required Java packages. Use additional Java arguments to >>> provide Hazelcast access to Java internal API. The internal API access is >>> used to get the best performance results. Arguments to be used: >>> >>> Are their any additional cas.properties I need to add to make this work >>> again? >>> >>> Phil >>> >>> On Thursday, March 20, 2025 at 11:59:04 AM UTC-5 Pablo Vidaurri wrote: >>> >>>> Using OIDC I assume? >>>> >>>> Have you tried these dependencies: >>>> implementation "org.apereo.cas:cas-server-support-pac4j-oidc" >>>> <-- Looks like just introduced in 7.1.0 >>>> implementation "org.apereo.cas:cas-server-support-pac4j-webflow" >>>> >>>> -psv >>>> >>>> On Wednesday, March 19, 2025 at 10:00:52 PM UTC-5 Phil Hale wrote: >>>> >>>>> Hello, >>>>> >>>>> I'm attempting to upgrade from CAS 7.0 to CAS 7.1. I can successfully >>>>> build the war file and launch it without issues. When I attempt to log >>>>> in >>>>> I get the following error in the log file: >>>>> >>>>> cas.war[331470]: 2025-03-19 15:38:17,967 WARN >>>>> [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] >>>>> >>>>> - <No delegated authentication providers could be determined based on the >>>>> provided configuration. Either no identity providers are configured, or >>>>> the >>>>> current access strategy rules prohibit CAS from using authentication >>>>> providers> >>>>> >>>>> and the following on the web browser: >>>>> >>>>> >>>>> [image: Screenshot From 2025-03-19 15-40-11.png] >>>>> >>>>> We have each service file set up to call out to a default identity >>>>> provider with the following block in the service json file: >>>>> accessStrategy: >>>>> { >>>>> @class: >>>>> org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy >>>>> delegatedAuthenticationPolicy: >>>>> { >>>>> @class: >>>>> org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy >>>>> allowedProviders: >>>>> [ >>>>> java.util.ArrayList >>>>> [ >>>>> TAMUCC_AAD >>>>> ] >>>>> ] >>>>> permitUndefined: false >>>>> exclusive: true >>>>> } >>>>> } >>>>> >>>>> This works as expected in 7.0 but does not work in 7.1. In 7.0, we >>>>> are automatically directed to the AAD login and after successfully >>>>> logging >>>>> in, given access to the app. I've compared the json service file >>>>> formatting with what is documented and can't find any issues. >>>>> >>>>> Hopefully someone has some suggestions on what changes we need to make >>>>> to get this working again. >>>>> >>>>> Thanks, >>>>> >>>>> Phil >>>>> >>>>> -- >>> - Website: https://apereo.github.io/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> To view this discussion visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb0853c1-ee51-4a69-804d-06580dffe90dn%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb0853c1-ee51-4a69-804d-06580dffe90dn%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b73fdb49-3202-4b16-9947-78cf0ea3d817n%40apereo.org.
