I have successfully configured CAS 6.5.9 with Proxy Authentication. As mentioned in the documentation, my use case does not support the invoking of a callback url so I have requested that the PGT be returned in the validation response.
Everything works as intended, until I actually attempt to validate the ST using the /p3/serviceValidate endpoint. The ST ticket validates fine but the PGT or pgtId is NOT returned in the response as expected. I created the public/private key pair as documented and provided to CAS via the service definition, along with all the other configuration required. And nothing - no PGT in the validation response. Has anyone else had this issue or have any suggestions?
Eureka! I found the answer to this issue - thanks to this article.
I inadvertently (and probably correctly) had the following configuration property set in my /etc/cas.properties file:
cas.authn.authenticationAttributeRelease.enabled=false
This setting essentially overrides and blocks the ability to include any authentication attributes - including the PGT - from the validation response! In order to enable it, this setting must be set to true and then limited by the corresponding entry removing any additional attributes you don't wish to be included!
cas.authn.authenticationAttributeRelease.neverRelease=credentialType,authenticationDate,...