I have three applications in spring boot and the authentication is done through cas server (azure tenant). If a user logs in any of the three applications and tries to access any of the other two, I want them not to have to log in again but instead they are redirected to login page. Them problem introduced when I upgraded cas from 5.3.16 to 6.2.8. This used to work on the older version.
The services are loaded to cas from the following json files:
egate-1001.json
not-1003.json
sanction-1004.json
I'll post only one of them since they have the same structure.
not-1003.json:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://${ENV_EGATE_HOST}/not/.*",
"name": "Notifications",
"description": "eGate Notifications application",
"id": 1003,
"matchingStrategy": {
"@class": "org.apereo.cas.services.FullRegexRegisteredServiceMatchingStrategy"
},
"logoutType": "FRONT_CHANNEL",
"logoutUrl": "https://${ENV_EGATE_HOST}/not/j_spring_cas_security_logout",
"evaluationOrder": 10000003,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
Here is the cas.properties file.
cas.server.name=https://${ENV_EGATE_HOST}
cas.server.prefix=${cas.server.name}/cas
server.port=8443
cas.service-registry.init-from-json=false
cas.service-registry.json.location=file:${ENV_CAS_CONFIGPATH}/services
cas.authn.pac4j.oidc[0].generic.type=AZURE
cas.authn.pac4j.oidc[0].generic.discoveryUri=https://login.microsoftonline.com/${ENV_AZURE_TENANTID}/v2.0/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].generic.logoutUrl=https://login.microsoftonline.com/${ENV_AZURE_TENANTID}/oauth2/logout?post_logout_redirect_uri=https://${ENV_EGATE_HOST}/cas/
cas.authn.pac4j.oidc[0].generic.id=${ENV_AZURE_APPID}
cas.authn.pac4j.oidc[0].generic.secret=${ENV_AZURE_SECRET}
cas.authn.pac4j.oidc[0].generic.auto-redirect=false
cas.authn.pac4j.oidc[0].generic.clientName=${ENV_AZURE_APPNAME}
cas.authn.pac4j.oidc[0].generic.azureTenantId=${ENV_AZURE_TENANTID}
cas.authn.pac4j.oidc[0].generic.responseType=code
cas.authn.pac4j.oidc[0].generic.useNonce=true
cas.authn.pac4j.oidc[0].generic.scope=openid profile
cas.authn.pac4j.typedIdUsed=false
cas.view.cas2.v3ForwardCompatible=true
management.endpoints.enabled-by-default = true
management.endpoints.actuatorEndpointsEnabled = true
cas.monitor.endpoints.enabled = true
cas.monitor.endpoints.sensitive = false
cas.authn.pac4j.cookie.crypto.encryption.key=${ENV_CAS_COOKIE_ENCRYPRION_KEY}
cas.authn.pac4j.cookie.crypto.signing.key=${ENV_CAS_COOKIE_SIGNING_KEY}
cas.tgc.crypto.encryption.key=${ENV_CAS_TGC_ENCRYPTION_KEY}
cas.tgc.crypto.signing.key=${ENV_CAS_TGC_SIGNING_KEY}
cas.webflow.crypto.signing.key=${ENV_CAS_WEBFLOW_SIGNING_KEY}
cas.webflow.crypto.encryption.key=${ENV_CAS_WEBFLOW_ENCRYPTION_KEY}
For each application there is a spring-security.xml file. They are written according to this documentation: https://docs.spring.io/spring-security/reference/servlet/authentication/cas.html
I tried different versions of cas from version 6 and above but it didn't work.
Any ideas of what could be the problem?
Thanks in advance.
The issue of CAS not remembering your SSO session seems to be caused by CAS not correctly returning the
Set-Cookieheader(s) with the CAS SSO cookie when a delegated authentication, like Azure in this case, is used, under some circumstances.This problem, probably a bug, is more thoroughly discussed at CAS 6.2.X: TGC Cookie set twice and more freshly also at Still struggling with Azure AD delegated login.
According to the linked forum pages, the only working workaround/solution so far is to comment out the line
ticketGrantingTicketCookieGenerator.removeCookie(response);in the Java class InitialFlowSetupAction (i.e. to override this class within your CAS overlay project).