hello, CAS7 delegated authN via SAML, noticed that CAS signs request, the signature is one of HTTP request parameter, Not part of SAML authnRequest,
this results in Okta responds with 400 bad request, I tried another app that generates siganture inside authnRequest, that works well with Okta. Is there a way for CAS to keep the signature as part of SAML AuthNRequest? Pac4jHTTPRedirectDeflateEncoder/doEncode() specifically removes the signature, does not have anyway to skip it. thx! CAS generated authnRequest during delegated authN to Okta HTTP request ============= SAMLRequest: nVNLj9owEL73V...............JGVDYHy7zsivpx1+R/QY= RelayState: TST-6-WokcN.............247Q6 SigAlg: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 Signature: KG7pM............F9F5BIzQ== <saml2p:AuthnRequest AssertionConsumerServiceURL="https://localhost:8743/cas/login?client_name=Okta"; AttributeConsumingServiceIndex="0" Destination="https://integrator.....okta.com/app/integrator-.............hn_1/exkux...........97/sso/saml"; ForceAuthn="false" ID="_07b013f49ba14c36b4aea4636ea1fdebfee9f1c" IsPassive="false" IssueInstant="2025-09-19T18:35:11.876Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >https://localhost:8743/cas/samloktasp</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </saml2p:AuthnRequest> here is another App generated AuthnRequest that works well with Okta, <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; Destination="https://integrator.......okta.com/app/integrator-....._1/exkux....697/sso/saml"; ForceAuthn="false" ID="a55h3h9ije9cb3ig13eh144a1cg2eac" IsPassive="false" IssueInstant="2025-09-19T18:35:57.847Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8543/saml/metadata</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <ds:Reference URI="#a55h3h9ije9cb3ig13eh144a1cg2eac"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>Fc22AXihW86stnAjDZGNp31RuKM=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>RqKJZGss9xDkHOPr10hJ .......... == END == -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6ae6098-31fa-4fda-9189-8d5266cc982dn%40apereo.org.
