We have CAS 5.1.3 with a SAML delegation to another IDP and some web applications that are using CAS as SSO provider.
In some case, when the user leave the browser open and inactive for many hours (e.g. the night), we got the event TICKET_GRANTING_TICKET_DESTROYED during the login webflow. This event seems to loose the original service of the web-app we used to call the Cas. We saw this event before SAML IDP is called.
This an example of cas_audit.log with wrong login web-flow.
2019-03-08 05:33:21,073 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Mar 08 05:33:21 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Mar 08 05:33:21 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 05:33:21,076 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-**************************************************9yyIGd5HwW-cascredem
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Fri Mar 08 05:33:21 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 05:33:24,948 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT01097
WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@578b862c[id=UT01097]] (return of SAML IDP)
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Mar 08 05:33:24 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 05:33:24,955 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT01097
WHAT: TGT-**************************************************XGzd4xOnGb-cascredem
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Mar 08 05:33:24 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 05:33:25,521 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Mar 08 05:33:25 CET 2019,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Mar 08 05:33:25 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 05:33:25,533 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT01097
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Mar 08 05:33:25 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 05:33:25,738 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT01097
WHAT: ST-75355-2etLNdlkQtnkmDSq2DGd-cascredem
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Mar 08 05:33:25 CET 2019
CLIENT IP ADDRESS: 10.132.0.7
SERVER IP ADDRESS: 10.132.0.6
=============================================================
2019-03-08 04:15:13,897 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Mar 08 04:15:13 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Mar 08 04:15:13 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 04:15:18,663 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT0A011
WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@3126759e[id=UT0A011]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Mar 08 04:15:18 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 04:15:18,673 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT0A011
WHAT: TGT-**************************************************pBoZWWSfQ6-cascredem
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Mar 08 04:15:18 CET 2019
CLIENT IP ADDRESS: 82.185.105.200
SERVER IP ADDRESS: 10.132.0.5
=============================================================
2019-03-08 04:15:18,688 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT0A011
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Mar 08 04:15:18 CET 2019
2019-03-08 04:15:18,926 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: UT0A011
WHAT: ST-75348-AAc95fO7MjnEmpjFeJbE-cascredem
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Mar 08 04:15:18 CET 2019
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================