Hi,
I am using pac4j delegated authentication with SAML2 so that CAS uses a
SAML2 Identity Provider (IdP) for authentication.
With CAS version 5.1.3 the <AuthnRequest> sent to the IdP has
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
as I expect, and that matches the metadata for the CAS server SP that
was given to the IdP. The CAS server auto-generated SP SAML metadata
contains
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://my.server/cas/login?client_name=SAML2Client";
index="0"/>
So this is consistent and the SAML flow works as expected.
With CAS version 5.2.3 the <AuthnRequest> sent to the IdP has instead
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
That is not what I expect and appears to be a regression.
Further if I delete the auto-generated SP metadata so that CAS version
5.2.3 re-generates it I see in the metadata
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://my.server/cas/login?client_name=SAML2Client";
index="0"/>
Again, this is not what I expect for the SP ACS. I would expect it to
be using the HTTP-POST binding.
Can someone confirm that this is a regression somewhere between 5.1.3
and 5.2.3?
Thanks,
Scott K
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180321212411.yrgvkw5jcbldzbla%40paprika.local.
