Tomi, Cas can delegate authentication to another SAML IdP. See https://apereo.github.io/cas/7.2.x/integration/Delegate-Authentication.html
Or are you trying to protect an application (in which case cas server is not the correct tool)? Pac4j (or another cas client) can be included in the application (if you are building the application); or shibboleth SP can be installed on the web server hosting your application. Ray ________________________________ From: cas-user@apereo.org <cas-user@apereo.org> on behalf of Tomi Karlstedt <toka...@reaktor.fi> Sent: May 20, 2025 00:23 To: CAS Community <cas-user@apereo.org> Subject: [cas-user] Delegated SAML2 logins create huge tickets You don't often get email from toka...@reaktor.fi. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi, We enabled a SAML2 integration on our CAS 7 server. The CAS server acts as a service provider. For whatever reason, the integration is creating huge tickets into the database and eventually producing OutOfMemoryErrors on the CAS server. We checked that one of the serialized tickets looks otherwise pretty normal except that it has hundreds of megabytes of authnContext with just single array list of strings: ""authenticationAttributes"":{""@class"":""java.util.HashMap"",""issuerId"":""***"",""authnContext"":[""java.util.ArrayList"",[""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport""... Our configuration is as follows: cas.authn.pac4j.saml[0].keystore-password: *** cas.authn.pac4j.saml[0].private-key-password: *** cas.authn.pac4j.saml[0].service-provider-entity-id: *** cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path: *** cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location: *** cas.authn.pac4j.saml[0].keystore-path: *** cas.authn.pac4j.saml[0].destination-binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[0].logout-response-binding-type: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[0].client-name: *** cas.authn.pac4j.saml[0].sign-authn-request: true cas.authn.pac4j.saml[0].wants-assertions-signed: true cas.authn.pac4j.saml[0].wants-responses-signed: true cas.authn.pac4j.saml[0].sign-service-provider-logout-request: true cas.authn.pac4j.saml[0].use-name-qualifier: false I haven't been able to figure out why this is happening. Any ideas what could be the culprit? Tomi -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/abaec734-5c99-42d0-9611-44428a09acb3n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/abaec734-5c99-42d0-9611-44428a09acb3n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081FFA05608C5AFAD8C5710CE9FA%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
