Do you mean this property, cas.authn.pac4j.saml[0].use-name-qualifier You can add it to your existing saml config. It is a boolean.
Ray ________________________________ From: cas-user@apereo.org <cas-user@apereo.org> on behalf of BJ Sys Admin <bjunetad...@gmail.com> Sent: April 25, 2025 13:18 To: CAS Community <cas-user@apereo.org> Cc: BJ Sys Admin <bjunetad...@gmail.com> Subject: [cas-user] Re: CAS delegated auth to SAML in Azure doesn't like attribute in AuthnReqest XML (7.2.1) You don't often get email from bjunetad...@gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> The UseNameQualifier property noted on this page<https://apereo.github.io/cas/7.2.x/integration/Delegate-Authentication-SAML2.html> may be what I'm looking for, but I'm at a loss for how to manually configure this property. All of the documentation I'm looking at appears to assume some level of understanding that is not spelled out and that I don't have. I'm attempting to do this with CAS Overlay and gradle. It appears that the default for this property may be defined in the Pac4jSamlClientProperties.java<https://github.com/apereo/cas/blob/e4352d642ce23fcc704ee693980c4263f968ea90/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/pac4j/saml/Pac4jSamlClientProperties.java#L207> file. On Friday, April 25, 2025 at 2:15:34 PM UTC-4 BJ Sys Admin wrote: I have been working on configuring a new CAS server to do delegated SAML2 auth with Azure as IdP. I nearly have it working but I'm now facing an issue with the XML generated by CAS for the authentication request. CAS is generating XML for the SAML request that looks like this: ######## BEGIN AUTHNREQUEST XML ######## <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://cas01.XXX.XXX/cas/login?client_name=SAML2CLIENT<https://cas01.xxx.xxx/cas/login?client_name=SAML2CLIENT>" AttributeConsumingServiceIndex="0" Destination="https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/saml2"; ForceAuthn="false" ID="_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" IsPassive="false" IssueInstant="2025-04-24T20:51:39.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="https://cas01.XXX.XXX<https://cas01.xxx.xxx/>" >https://cas01.XXX.XXX<https://cas01.xxx.xxx/></saml2:Issuer> </saml2p:AuthnRequest> ######### END AUTHNREQUEST XML ######### I've highlighted two lines that define the Format and NameQualifier attributes of the Issue element. When my tenant in Azure receives this request, it throws a AADSTS75005<https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-aadsts75005-not-a-valid-saml-request> error (invalid SAML protocol message). However, if I manually modify the XML to remove either of the two highlighted attributes (or both) and resubmit, the request clears and I am able to authenticate. I've been looking and have not yet found any way to remove one or both of these attributes from the XML that is generated by CAS and sent (via the client browser) to Azure. Does anyone know if there is a way to remove at least one of these attributes so that delegated SAML2 auth will work with Azure? -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b171d019-68e9-48a2-a81e-3534675668a5n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b171d019-68e9-48a2-a81e-3534675668a5n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB008185AD19903C2A24BF0B8FCE872%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
