Re: [cas-user] Re: CAS delegated auth to SAML in Azure doesn't like attribute in AuthnReqest XML (7.2.1)

[BJ Sys Admin]

Thank you! That's exactly what I was looking for. I put it in my 
application.yml file and that did the trick. For anyone else who may land 
here, the config in the application.yml file looks more like:
cas:
  authn:
    pac4j:
      saml[0]:
        use-name-qualifier: false

On Friday, April 25, 2025 at 11:20:24 PM UTC-4 Ray Bon wrote:

> Do you mean this property, cas.authn.pac4j.saml[0].use-name-qualifier
>
> You can add it to your existing saml config. It is a boolean.
>
> Ray
>
> ------------------------------
> *From:* cas-...@apereo.org <cas-...@apereo.org> on behalf of BJ Sys Admin 
> <bjune...@gmail.com>
> *Sent:* April 25, 2025 13:18
> *To:* CAS Community <cas-...@apereo.org>
> *Cc:* BJ Sys Admin <bjune...@gmail.com>
> *Subject:* [cas-user] Re: CAS delegated auth to SAML in Azure doesn't 
> like attribute in AuthnReqest XML (7.2.1) 
>  
> You don't often get email from bjune...@gmail.com. Learn why this is 
> important <https://aka.ms/LearnAboutSenderIdentification> 
> The UseNameQualifier property noted on this page 
> <https://apereo.github.io/cas/7.2.x/integration/Delegate-Authentication-SAML2.html>
>  may 
> be what I'm looking for, but I'm at a loss for how to manually configure 
> this property. All of the documentation I'm looking at appears to assume 
> some level of understanding that is not spelled out and that I don't have. 
> I'm attempting to do this with CAS Overlay and gradle. 
>
> It appears that the default for this property may be defined in the 
> Pac4jSamlClientProperties.java 
> <https://github.com/apereo/cas/blob/e4352d642ce23fcc704ee693980c4263f968ea90/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/pac4j/saml/Pac4jSamlClientProperties.java#L207>
>  
> file.
>
> On Friday, April 25, 2025 at 2:15:34 PM UTC-4 BJ Sys Admin wrote:
>
> I have been working on configuring a new CAS server to do delegated SAML2 
> auth with Azure as IdP. I nearly have it working but I'm now facing an 
> issue with the XML generated by CAS for the authentication request. 
>
> CAS is generating XML for the SAML request that looks like this:
> ######## BEGIN AUTHNREQUEST XML ########
> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>                      AssertionConsumerServiceURL="
> https://cas01.XXX.XXX/cas/login?client_name=SAML2CLIENT 
> <https://cas01.xxx.xxx/cas/login?client_name=SAML2CLIENT>"
>                      AttributeConsumingServiceIndex="0"
>                      Destination="
> https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/saml2
> "
>                      ForceAuthn="false"
>                      ID="_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
>                      IsPassive="false"
>                      IssueInstant="2025-04-24T20:51:39.720Z"
>                     
>  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>                      Version="2.0"
>                      >
>     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>                   Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>                   NameQualifier="https://cas01.XXX.XXX 
> <https://cas01.xxx.xxx/>"
>                   >https://cas01.XXX.XXX <https://cas01.xxx.xxx/>
> </saml2:Issuer>
> </saml2p:AuthnRequest>
> ######### END AUTHNREQUEST XML #########
>
> I've highlighted two lines that define the Format and NameQualifier 
> attributes of the Issue element. When my tenant in Azure receives this 
> request, it throws a AADSTS75005 
> <https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-aadsts75005-not-a-valid-saml-request>
>  
> error (invalid SAML protocol message). However, if I manually modify the 
> XML to remove either of the two highlighted attributes (or both) and 
> resubmit, the request clears and I am able to authenticate.
>
> I've been looking and have not yet found any way to remove one or both of 
> these attributes from the XML that is generated by CAS and sent (via the 
> client browser) to Azure. Does anyone know if there is a way to remove at 
> least one of these attributes so that delegated SAML2 auth will work with 
> Azure?
>
> -- 
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b171d019-68e9-48a2-a81e-3534675668a5n%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b171d019-68e9-48a2-a81e-3534675668a5n%40apereo.org?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ea61758-8348-4a84-a540-132082d6f5f1n%40apereo.org.